Insufficient Validation in Frappe Learning Image Uploads
CVE-2025-55006

4.3MEDIUM

Key Information:

Vendor: Frappe
Status: Lms
Vendor: CVE Published:; 9 August 2025

What is CVE-2025-55006?

In Frappe Learning versions prior to 2.34.0, the application fails to properly sanitize SVG files uploaded via its image functionality. This oversight permits the inclusion of embedded JavaScript or other harmful content within SVG files. Attackers can exploit this vulnerability by uploading malicious SVG images, potentially leading to the execution of arbitrary scripts within the browser context of users. A security update is scheduled to address this flaw in version 2.34.0.

Affected Version(s)

lms <= 2.33.0

References

https://github.com/frappe/lms/security/advisories/GHSA-mv...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2025
Vulnerability Reserved
Aug 4, 2025