CVE-2026-39405
CriticalSummary
Frappe Learning Management System (LMS) versions 2.50.0 and below allowed users with course editing roles to upload SCORM ZIP packages, enabling file writes outside the intended directory. This issue has been resolved in version 2.50.1.
Risk Assessment
The ability to write files in unintended locations poses a risk of data integrity breaches and potential malware introduction.
Recommendation
It is recommended to upgrade the system to version 2.50.1 or later to mitigate this vulnerability.
Original NVD description (English source)
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1.

