CVE-2025-11282

LOW 2.4

Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting

CVSS Score

2.4

EPSS Score

0.1%

EPSS Percentile

21th

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

CWE	CWE-79 CWE-94
Vendor	frappe
Product	lms
Published	Oct 5, 2025
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for frappe lms

Be the first to know when new low vulnerabilities affecting frappe lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Frappe / LMS

2.34.* 2.35.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.327016 vuldb.com: https://vuldb.com/?ctiid.327016 vuldb.com: https://vuldb.com/?submit.659696 github.com: https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr gist.github.com: https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reproduce github.com: https://github.com/frappe/lms/

Credits

🔍 0xHamy (VulDB User)