CVE-2025-67730 MEDIUM

CVE-2025-67730: Frappe authenticated users can execute XSS through form description fields

Vendor Frappe
Product lms
Weakness CWE-79 · XSS
Published December 12, 2025
Last update December 18, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.

Key dates

02Disclosure timeline

December 12, 2025 CVE published
December 18, 2025 Record updated