CVE-2025-67734

Frappe Authenticated Users can Execute JavaScript through its Job Form

CVSS 5.1 MEDIUMEPSS 0.1%CWE-79

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.1EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script could then be executed in the browsers of users who opened the malicious job posting. This issue is fixed in version 2.42.0.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

frappe · lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/frappe/lms/commit/ca849da81558066d7614b9b6234004ff59c90632 https://github.com/frappe/lms/security/advisories/GHSA-c495-qg4v-5vr7