CVE-2026-39405
Received Received - Intake
Frappe LMS SCORM ZIP Path Traversal

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-21
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-39405
EUVD
EUVD-2026-31177
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
frappe learning_management_system to 2.50.1 (exc)
frappe lms to 2.49.0 (inc)
frappe lms From 2.50.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-39405 is a path traversal vulnerability in the Frappe Learning Management System (LMS) affecting versions 2.50.0 and below. Specifically, a user with the course editing role could upload a malicious SCORM ZIP package that allowed writing files outside the intended directory. This means the system did not properly validate file paths during extraction, enabling unauthorized file writes to restricted locations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the path traversal vulnerability in Frappe LMS impacts compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

This vulnerability can have serious impacts as it allows users with limited privileges (course editors) to write files outside their designated directories. This could lead to unauthorized modification or creation of files in sensitive areas of the system, potentially compromising system integrity, enabling further attacks, or causing data corruption.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update the Frappe Learning Management System (LMS) to version 2.50.1 or higher.

This update includes a fix that validates extraction paths to prevent path traversal attacks when uploading SCORM ZIP packages.

Ensuring that only trusted users have the course editing role can also help reduce risk until the update is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart