Platform
erpnext
Component
lms
Fixed in
2.46.0
CVE-2026-39415 is a vulnerability affecting Frappe Learning Management System (LMS) versions 1.0.0 through 2.46.0. This issue allows students to manipulate quiz scores before submission using browser developer tools. While it doesn't enable access to other users' data or privilege escalation, it compromises the integrity of quiz results. A fix is available in version 2.46.0.
The primary impact of CVE-2026-39415 is the potential for inaccurate quiz scores and compromised academic integrity. Attackers, in this case, students, can leverage browser developer tools to alter the calculated scores before the submission request is sent to the server. This manipulation occurs because the application relies on client-side calculations for quiz scores, lacking server-side validation. The vulnerability does not allow for data breaches or privilege escalation, but it directly undermines the reliability of assessment results. Repeated score manipulation could lead to unfair grading and inaccurate performance evaluations.
CVE-2026-39415 was publicly disclosed on 2026-04-08. There are currently no known public proof-of-concept exploits available. The vulnerability's impact is limited to data integrity within the LMS, and it does not appear to be actively exploited. It has not been added to the CISA KEV catalog. The probability of exploitation is considered low due to the technical skill required and the limited scope of the impact.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
The recommended mitigation for CVE-2026-39415 is to immediately upgrade to Frappe LMS version 2.46.0 or later. Prior to upgrading, it is crucial to back up your Frappe LMS database and application files. If the upgrade process causes compatibility issues, consider rolling back to a previous stable version and applying any available patches or workarounds. Implement server-side validation of quiz scores to prevent client-side manipulation in future versions. After upgrading, confirm the fix by attempting to modify quiz scores using browser developer tools and verifying that the changes are not reflected in the submitted results.
Update the Frappe Learning Management System to version 2.46.0 or later to mitigate the vulnerability. This version fixes the issue by validating quiz scores on the server-side, preventing students from modifying them through browser developer tools.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39415 is a vulnerability in Frappe LMS versions 1.0.0 through 2.46.0 that allows students to modify quiz scores client-side before submission, compromising data integrity.
You are affected if you are using Frappe LMS versions 1.0.0 through 2.46.0. Upgrade to version 2.46.0 to mitigate the risk.
Upgrade to Frappe LMS version 2.46.0 or later. Back up your data before upgrading and implement server-side validation for quiz scores.
There are currently no known public exploits or confirmed active exploitation of CVE-2026-39415.
Refer to the official Frappe LMS security advisories on their website or GitHub repository for updates and detailed information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.