CVE-2026-39405
Deferred Deferred - Pending Action
Frappe LMS SCORM ZIP Path Traversal

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-39405
EUVD
EUVD-2026-31177
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
frappe learning_management_system to 2.50.1 (exc)
frappe lms to 2.49.0 (inc)
frappe lms From 2.50.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39405 is a path traversal vulnerability in the Frappe Learning Management System (LMS) affecting versions 2.50.0 and below. Specifically, a user with the course editing role could upload a malicious SCORM ZIP package that allowed writing files outside the intended directory. This means the system did not properly validate file paths during extraction, enabling unauthorized file writes to restricted locations.

Impact Analysis

This vulnerability can have serious impacts as it allows users with limited privileges (course editors) to write files outside their designated directories. This could lead to unauthorized modification or creation of files in sensitive areas of the system, potentially compromising system integrity, enabling further attacks, or causing data corruption.

Mitigation Strategies

To mitigate this vulnerability, you should update the Frappe Learning Management System (LMS) to version 2.50.1 or higher.

This update includes a fix that validates extraction paths to prevent path traversal attacks when uploading SCORM ZIP packages.

Ensuring that only trusted users have the course editing role can also help reduce risk until the update is applied.

Compliance Impact

The provided information does not specify how the path traversal vulnerability in Frappe LMS impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves a path traversal issue in the SCORM module of the Frappe Learning Management System (LMS) that allows users with course editing roles to upload malicious SCORM ZIP packages which write files outside the intended directory.

To detect if your system is vulnerable, you should first check the version of the Frappe LMS installed. Versions 2.50.0 and below are affected, while version 2.50.1 and above include the fix.

You can check the installed version by running a command on the server hosting the LMS, for example:

  • grep or cat the version file or metadata if available, e.g., `cat /path/to/frappe_lms/version.txt` or check the package version via your package manager.
  • If the LMS is deployed via Docker or similar container, use `docker exec <container_name> frappe --version` or equivalent.

To detect exploitation attempts or presence of malicious files, you can search for unexpected files outside the SCORM directory, for example:

  • Use `find` to look for recently modified or created files outside the expected SCORM upload directory, e.g., `find /path/to/lms/uploads -type f -mtime -7` to find files modified in the last 7 days.
  • Check server logs for unusual upload activity by users with course editing roles.

Since the vulnerability is related to path traversal during ZIP extraction, monitoring for ZIP files uploaded by course editors and inspecting their contents before extraction can help detect attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart