XSS in Frappe Lms

CVE-2026-34606

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0.

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.7th percentile) — read the EPSS interpretation.

Affected products

Frappe Lms — versions >= 2.27.0, < 2.48.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/frappe/lms/security/advisories/GHSA-qf5w-r34q-c7j2 (x_refsource_CONFIRM)
https://github.com/frappe/lms/pull/2185 (x_refsource_MISC)
https://github.com/frappe/lms/commit/b8283860a7f029ea2fa0245131c398c079088921 (x_refsource_MISC)
https://github.com/frappe/lms/releases/tag/v2.48.0 (x_refsource_MISC)