Volerion logoVolerion
Volerion logoVolerion

Frappe Learning Management System HTML and JavaScript Injection Vulnerability

Vulnerability

A vulnerability allowing HTML and JavaScript injection has been identified in Frappe Learning Management System (LMS) versions prior to 2.42.0. This issue allows authenticated users to insert malicious content into description fields of the Job, Course, and Batch forms. The injected scripts are executed in the context of the user's browser who views these items.

Impact

Exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, where malicious scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an authenticated user can add malicious HTML or JavaScript into the description fields of the Job, Course, or Batch forms. Once saved, the injected scripts will execute in the browser of any user who opens these forms.

Remediation

Users can upgrade to Frappe Learning Management System version 2.42.0 or later to address this vulnerability.

Added: Dec 12, 2025, 8:18 AM
Updated: Dec 12, 2025, 3:40 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
1.7
exploitability
6.2
remediation
7.7
relevance
1.4
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.