CVE-2025-62158

Frappe had attachments made by students to their assignments of type Text set to public

CVSS 2.7 LOWEPSS 0.3%CWE-200

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.7EPSS 0.3%KEV nãoPoC —Patch —

Lifecycle

Oct 10, 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the file URL could access these files without authentication. The issue has been fixed in version 2.38.0 by ensuring all student-uploaded assignment attachments are stored as private files by default.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Affected products

frappe · lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/frappe/lms/commit/78640561f558a6c7396f8be48874f79a54f03420 https://github.com/frappe/lms/security/advisories/GHSA-h6fh-7f24-f2j5