CVE-2025-64705

Frappe user was able to access the submission of other students

CVSS 1.3 LOWEPSS 0.2%CWE-200

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 1.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Nov 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Frappe Learning is a learning system that helps users structure their content. Starting in version 2.0.0 and prior to version 2.41.0, users were able to access the submissions made by other students The issue has been fixed in version 2.41.0 by ensuring proper roles and redirecting if accessed via direct URL.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Affected products

frappe · lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/frappe/lms/security/advisories/GHSA-qrvv-6g7r-g3v8