CVE-2026-46546: Frappe LMS Authentication Bypass Redirect Vulnerability
Frappe Learning Management System prior to version 2.53.0 contains a vulnerability where authenticated users can inject malicious code into certain editable fields. When these fields are displayed in page metadata, visiting users' browsers are automatically redirected to attacker-controlled URLs without their knowledge. The vulnerability requires an attacker to have valid user credentials and for a victim to visit a page containing the injected content, but once triggered, it can lead to credential theft, malware distribution, or other social engineering attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-74, CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-09
NVD description (verbatim)
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to version 2.53.0, an authenticated user could supply specially crafted content in certain user-editable fields that, when surfaced in page metadata, caused visitors' browsers to navigate to an attacker-chosen URL. This issue has been patched in version 2.53.0.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46546 is an authenticated reflected/stored cross-site scripting (XSS) vulnerability in Frappe LMS versions prior to 2.53.0. The flaw exists in the handling of user-supplied content in editable fields that are subsequently rendered within page metadata (likely Open Graph, meta tags, or similar structures). An authenticated attacker can craft specially formatted input that escapes sanitization and executes arbitrary JavaScript in visitors' browsers, causing automatic navigation via the javascript: protocol or similar vectors. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-79 (Cross-site Scripting), indicating insufficient output encoding of user-controlled data.
Business impact
Organizations deploying Frappe LMS face credential theft and data exfiltration risks if internal users are compromised. An insider with valid credentials can inject malicious redirects into course content or learning materials, silently redirecting other users—including students, instructors, or administrators—to credential harvesting pages. This undermines the integrity of the learning platform, damages institutional trust, and exposes the organization to downstream attacks such as phishing, malware deployment, or further lateral movement. Educational institutions and corporate training environments relying on this system should treat this as a trust boundary violation.
Affected systems
Frappe Learning Management System versions prior to 2.53.0 are affected. Organizations running Frappe LMS should immediately identify deployed versions and compare against 2.53.0. All instances accessible to multiple users (students, instructors, administrators) are at risk if any authenticated user account is compromised or if an insider is malicious.
Exploitability
The vulnerability requires authentication (CVSS metric PR:L), so a valid user account is necessary. However, in educational and training environments, user accounts are typically abundant and less protected than administrative credentials. No special browser configuration is required; the attack triggers automatically when a victim visits a page containing injected metadata. The user interaction requirement (CVSS metric UI:R) means the victim must visit the page—achievable through sharing course links or embedding content. Overall exploitability is moderate: not trivial, but well within reach of an insider threat or compromised user account.
Remediation
Upgrade Frappe Learning Management System to version 2.53.0 or later immediately. This version includes fixes for the metadata sanitization flaw. Organizations unable to patch immediately should restrict editing permissions on sensitive content fields, implement strict access controls on user account creation, and monitor for unusual URL redirects in page metadata. Consider deploying a Web Application Firewall (WAF) rule to block javascript: protocol in HTTP responses if the platform is internet-facing.
Patch guidance
Apply the official Frappe LMS patch by upgrading to version 2.53.0 or later. Before patching production systems, test the upgrade in a staging environment to ensure compatibility with custom modules or extensions. Verify that the patch does not introduce regressions in content rendering or metadata handling. Once deployed, confirm that user-editable fields no longer allow injection of redirect payloads by testing with sample malicious input (e.g., 'javascript:alert(1)').
Detection guidance
Monitor Frappe LMS logs and HTTP traffic for: (1) unusual edits to content fields containing URL-like or javascript: protocol strings; (2) metadata responses containing unencoded special characters or scripts; (3) automatic redirects to external domains initiated from LMS pages; (4) unexpected changes to course or learning material content by authenticated users. Check Open Graph tags, canonical URLs, and other metadata fields in page source for suspicious content. Use browser console logs to identify script execution sources. Correlate user edits with subsequent visitor complaints of unexpected redirects.
Why prioritize this
CVE-2026-46546 merits prompt attention despite a MEDIUM CVSS score because it exploits the trust model of educational and training platforms. Educational institutions often assume internal users are trustworthy, making this insider threat vector particularly dangerous. The automatic redirect behavior creates a silent attack surface—victims may not immediately recognize they've been compromised. Organizations with distributed user bases, high account turnover (typical in schools), or BYOD policies should prioritize patching to prevent widespread credential harvesting campaigns targeting their user population.
Risk score, explained
The CVSS 3.1 score of 5.4 (MEDIUM) reflects the requirement for prior authentication (PR:L) and user interaction (UI:R), which reduce likelihood of large-scale exploitation. However, the scope change (S:C) indicates the impact crosses trust boundaries—a user's actions affect other users. Confidentiality and integrity impacts are rated as Low (C:L, I:L) because the attacker can redirect users but does not gain direct access to sensitive data within the LMS. Availability is not impacted. In the context of educational institutions or enterprises where user accounts are relatively easy to obtain or compromise, the effective risk is elevated relative to the numeric score.
Frequently asked questions
Can this vulnerability be exploited by unauthenticated attackers?
No. The vulnerability requires a valid user account (authenticated access) to inject the malicious content into editable fields. However, the malicious content affects any visitor who views the page, including unauthenticated users.
What if we restrict user permissions to edit sensitive fields?
Restricting edit permissions significantly reduces the attack surface, but does not eliminate risk entirely. If any user with editing privileges is compromised or acts maliciously, the vulnerability remains exploitable. Patching to version 2.53.0 is the authoritative fix.
Is this vulnerability being actively exploited in the wild?
There is no evidence of active exploitation in public vulnerability tracking systems (KEV status: not listed). However, the relative simplicity of the attack and the insider threat nature make it likely to be exploited opportunistically in compromised educational environments.
How long does it take to upgrade to version 2.53.0?
Upgrade time depends on your deployment model, customizations, and staging test procedures. Typical time ranges from 1–4 hours for managed deployments. Always test in a non-production environment first and have a rollback plan.
This analysis is provided for informational and educational purposes only and does not constitute professional security advice. Organizations should conduct their own risk assessments and consult official vendor advisories before patching. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Always verify patch availability and compatibility with your specific Frappe LMS deployment before applying updates. Exploit code, weaponized proof-of-concepts, and active attack strategies are intentionally excluded from this document. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47634HIGHSharePoint Output Injection Spoofing Vulnerability
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide