CVE-2025-11282 MEDIUM

CVE-2025-11282: Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting

Vendor Frappe

Product LMS

Weakness CWE-79 · XSS

Published October 5, 2025

Last update March 25, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

Key dates

02Disclosure timeline

October 5, 2025 CVE published

March 25, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11282 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

Identifiers

CVE CVE-2025-11282

CWE CWE-79

CVSS 4.8 / MEDIUM

Affected versions

Vendor Frappe

Product LMS

Affected 2.34.*

Vendor Frappe

Product LMS

Affected 2.35.0

CVE-2025-11282: Frappe LMS Incomplete Fix CVE-2025-55006 cross site scripting

01Description

02Disclosure timeline

03References

04Related CVE