Public File Exposure in Frappe Learning by Frappe Technologies
CVE-2025-62158

2.7LOW

Key Information:

Vendor: Frappe
Status: Lms
Vendor: CVE Published:; 10 October 2025

What is CVE-2025-62158?

Frappe Learning, a platform designed for managing educational content, was found to have a significant issue where student-uploaded assignment attachments were stored as public files. This vulnerability allowed anyone with access to the specific file URLs to view or download these attachments without any authentication. Such exposure raises serious concerns regarding data privacy and security, particularly for sensitive student information. The issue has been addressed in version 2.38.0, where the system now ensures that all uploaded files are set to private by default, protecting them from unauthorized access.

Affected Version(s)

lms < 2.38.0

References

https://github.com/frappe/lms/security/advisories/GHSA-h6...

x_refsource_CONFIRM

https://github.com/frappe/lms/commit/78640561f558a6c7396f...

x_refsource_MISC

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2025
Vulnerability Reserved
Oct 7, 2025

JSON