CVE-2025-66581 LOW

CVE-2025-66581: Frappe LMS is Missing Server-Side Authorization in Business Logic

Vendor Frappe

Product lms

Weakness CWE-863 · Incorrect authorization

Published December 5, 2025

Last update December 5, 2025

View on NVD All CVEs

CVSS base score

1.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, users with low-privileged roles (such as students) could perform operations intended only for instructors or administrators via directly using the API's. This vulnerability is fixed in 2.41.0.

Key dates

02Disclosure timeline

December 5, 2025 CVE published

December 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-66581 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

CVE-2025-66581: Frappe LMS is Missing Server-Side Authorization in Business Logic

01Description

02Disclosure timeline

03References

04Related CVE