Primary

Context

Frappe Learning Management System Path Traversal Vulnerability in SCORM Package Upload

Vulnerability

Patched

A path traversal vulnerability has been identified in Frappe Learning Management System (LMS) versions through 2.49.0. This vulnerability allows users with course editing roles to upload SCORM ZIP packages that can write files outside the designated directory. The issue arises from insufficient validation of extraction paths in SCORM packages, enabling unauthorized file writing.

Impact

Exploitation of this vulnerability could lead to unauthorized file writing on the server, potentially overwriting critical files or causing other unintended consequences.

Remediation

Users are advised to update to Frappe LMS version 2.50.1 or higher, where this vulnerability has been patched by validating extraction paths to ensure they remain within the SCORM directory.

Added: May 20, 2026, 8:45 PM

Updated: May 20, 2026, 8:45 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.8

exploitability

5.4

remediation

7.7

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.8

exploitability

5.4

remediation

7.7

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Frappe Learning Management System Path Traversal Vulnerability in SCORM Package Upload

Vulnerability

Impact

Remediation

Affected Products

Frappe Learning Management System

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating