XSS Vulnerability in Frappe Learning Management System Prior to Version 2.42.0
CVE-2025-67730

5.1MEDIUM

Key Information:

Vendor: Frappe
Status: Lms
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-67730?

The Frappe Learning Management System (LMS) prior to version 2.42.0 is susceptible to a Cross-Site Scripting (XSS) vulnerability. This allows authenticated users to exploit the system by injecting malicious HTML and JavaScript into the description fields found in Job, Course, and Batch forms. Such vulnerabilities can lead to unauthorized actions being performed on behalf of other users or the exposure of sensitive information. Users are strongly advised to upgrade to version 2.42.0 or later to mitigate this risk.

Affected Version(s)

lms < 2.42.0

References

https://github.com/frappe/lms/security/advisories/GHSA-jj...

x_refsource_CONFIRM

https://github.com/frappe/lms/commit/0877e32e1bfe64831b87...

x_refsource_MISC

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 10, 2025

JSON