← back
CVE-2026-34606

Stored XSS in Frappe LMS

CVSS 6.9 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.9EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
02 Apr 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
frappe · lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/frappe/lms/commit/b8283860a7f029ea2fa0245131c398c079088921https://github.com/frappe/lms/pull/2185https://github.com/frappe/lms/releases/tag/v2.48.0https://github.com/frappe/lms/security/advisories/GHSA-qf5w-r34q-c7j2