CVE-2026-39405

UNKNOWN 0.0

Frappe has Path Transversal via SCORM

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.

CWE	CWE-22
Vendor	frappe
Product	lms
Published	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for frappe lms

Be the first to know when new unknown vulnerabilities affecting frappe lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

frappe / lms

< 2.50.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/frappe/lms/security/advisories/GHSA-mxh7-g3r7-g96h github.com: https://github.com/frappe/lms/releases/tag/v2.50.1