Auth bypass in Frappe Lms

CVE-2025-66581

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned role…

Vulnerability class: Broken Access Control

EPSS: 0.001 (16.0th percentile) — read the EPSS interpretation.

Affected products

Frappe Lms — versions < 2.41.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

https://github.com/frappe/lms/security/advisories/GHSA-2ch7-c74m-432m (x_refsource_CONFIRM)