CVE-2025-11282

low-risk
Published 2025-10-05

A vulnerability was found in Frappe LMS 2.34.x/2.35.0. The impacted element is an unknown function of the component Incomplete Fix CVE-2025-55006. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The affected component should be upgraded. The vendor was informed early about a total of four security issues and confirmed that those have been fixed. However, the release notes on GitHub do not mention them.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10 Low
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Frappe

References (8)

Exploit https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reprodu...
https://github.com/frappe/lms/
Vendor Advisory https://github.com/frappe/lms/security/advisories/GHSA-mvxw-r9x4-3vrr
Permissions Required https://vuldb.com/?ctiid.327016
Third Party Advisory https://vuldb.com/?id.327016
Exploit https://vuldb.com/?submit.659696
Exploit https://gist.github.com/0xHamy/c2a81f2d1c779c513fa3db6f3ad24544#steps-to-reprodu...
Exploit https://vuldb.com/?submit.659696
18
/ 100
low-risk
Severity 13/34 · Low
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal