CVE Catalog

CVE-2026-39405

Critical
Published: Translated: NVD NIST

Summary

Frappe Learning Management System (LMS) versions 2.50.0 and below allowed users with course editing roles to upload SCORM ZIP packages, enabling file writes outside the intended directory. This issue has been resolved in version 2.50.1.

Risk Assessment

The ability to write files in unintended locations poses a risk of data integrity breaches and potential malware introduction.

Recommendation

It is recommended to upgrade the system to version 2.50.1 or later to mitigate this vulnerability.

Original NVD description (English source)

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS