External risk intelligence

Frappe LMS can be attacked to overwrite files on the server

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-39405

Frappe LMS allows users with editing roles to upload files that could overwrite critical system data, potentially leading to unauthorized access. This is a critical issue that demands immediate attention.

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-39405

This vulnerability affects a web-based Learning Management System. Such applications are commonly deployed as internet-facing web platforms to provide global access to users. Although the specific feature requires authentication, the application itself is typically accessible via the public internet in standard deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Users with course editing roles in Frappe LMS can upload malicious files to write data outside of intended locations. This could allow unauthorized access or modification of sensitive system files.

  • Allows unauthorized file writes.
  • Affects learning management systems.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker with course editing privileges in Frappe LMS can exploit this vulnerability to write files outside the intended directory by uploading a specially crafted SCORM package. This allows them to potentially overwrite critical system files or inject malicious content, leading to unauthorized access or complete system compromise.

  • Requires authenticated access.
  • Targets SCORM package upload feature.
  • Precondition: Course editing role.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows authenticated users to write files outside their intended directories, a serious security flaw in web applications. Given its critical nature and the typical internet-facing deployment of learning management systems, it is plausible attackers would seek to weaponize it for widespread impact.

  • Exploitation likely requires authenticated user interaction.
  • No known public exploit is observed.
  • The vulnerability is recently patched.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Frappe LMS to version 2.50.1 to address the critical file write vulnerability. If patching is delayed, isolate or restrict access to the LMS to prevent exploitation of the SCORM upload feature.

  • Update Frappe LMS to 2.50.1.
  • Restrict access to LMS services.
  • Monitor for unauthorized file writes.

Frequently asked questions

What is Frappe LMS and what is it used for?

Frappe LMS is a learning management system designed to help users organize and structure educational content. It is commonly used to deliver online courses and manage learning materials for students and educators.

What kind of weakness does CVE-2026-39405 represent?

CVE-2026-39405 is an instance of the CWE-22 weakness, also known as "Improper Limitation of a Pathname to a Restricted Directory (Directory Traversal)." This means the software does not properly restrict where files can be written, allowing attackers to write files in unintended locations.

How can an attacker exploit this CVE in Frappe LMS?

An attacker needs to have a course editing role within Frappe LMS. They can then upload a specially crafted SCORM ZIP package, which tricks the system into writing files outside of the designated upload directory.

Who should be concerned about this vulnerability, based on its exposure?

This vulnerability affects a web-based learning system, which is often accessible from the internet. Therefore, organizations using Frappe LMS, especially those with internet-facing instances, should be concerned.

What is the first step to address this threat?

The immediate first step is to update Frappe LMS to version 2.50.1, as this version includes a fix for the vulnerability. If immediate patching is not possible, restricting access to the LMS can help mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified