PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39405 frappe CVE debrief

CVE-2026-39405 is a critical path traversal issue in Frappe Learning Management System (LMS). The advisory says a user with course editing privileges could upload a SCORM ZIP package and write files outside the intended directory. The issue is resolved in version 2.50.1.

Vendor
frappe
Product
lms
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

Administrators and operators of Frappe LMS, especially environments that grant course editing roles or allow SCORM package uploads. Security teams should treat this as a high-priority application issue because the reported impact includes file writes outside the intended upload path.

Technical summary

The supplied advisory identifies CWE-22 (path traversal). In versions 2.50.0 and below, a course editing role could upload a SCORM ZIP package in a way that allows writes outside the intended directory. NVD lists the issue as CVSS 4.0 9.4/Critical with network attack vector, low attack complexity, no user interaction, and required low privileges. The fix is referenced in the Frappe LMS v2.50.1 release and GitHub Security Advisory.

Defensive priority

Urgent: patch immediately. Treat as a critical application security issue because the flaw can allow file writes outside the intended directory and is reachable with only low-privilege course editing access.

Recommended defensive actions

  • Upgrade Frappe LMS to version 2.50.1 or later.
  • Review who has the course editing role and remove unnecessary access until patched.
  • Audit SCORM upload handling and filesystem permissions to ensure uploads cannot escape the intended directory.
  • Check for unexpected or newly written files outside the approved LMS content paths.
  • Review logs for recent SCORM upload activity and follow up on any suspicious file changes.
  • After upgrading, validate that the fix blocks path traversal in SCORM package handling without relying on manual workarounds.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record metadata, and the linked GitHub advisory/release references. The source corpus explicitly states that versions 2.50.0 and below are affected, that a course editing role can trigger the issue through SCORM ZIP upload, and that version 2.50.1 resolves it. The supplied timeline shows a public CVE publication date of 2026-05-20. No KEV entry was provided in the corpus.

Official resources

Publicly disclosed on 2026-05-20 through the CVE/NVD record and GitHub Security Advisory references included in the source corpus. The remediation reference points to Frappe LMS v2.50.1.