CVE-2026-39405: Frappe LMS Path Traversal Vulnerability

CVE-2026-39405 Overview

CVE-2026-39405 is a path traversal vulnerability in Frappe Learning Management System (LMS), affecting versions 2.50.0 and below. The flaw allows an authenticated user holding the course editing role to upload a malicious Sharable Content Object Reference Model (SCORM) ZIP package. During extraction, the application writes files outside the intended SCORM content directory, enabling arbitrary file write on the host. Frappe resolved the issue in version 2.50.1. The vulnerability is tracked under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).

Critical Impact

Authenticated course editors can write arbitrary files outside the SCORM upload directory, leading to potential remote code execution and full compromise of the Frappe LMS host.

Affected Products

• Frappe Learning Management System (LMS) versions 2.50.0 and below
• Fixed in Frappe LMS version 2.50.1
• Any deployment exposing course editor functionality to untrusted users

Discovery Timeline

• 2026-05-20 - CVE-2026-39405 published to the National Vulnerability Database (NVD)
• 2026-05-20 - Last updated in NVD database
• 2026-05-20 - Frappe published GitHub Security Advisory GHSA-mxh7-g3r7-g96h and released Frappe LMS v2.50.1

Technical Details for CVE-2026-39405

Vulnerability Analysis

The vulnerability resides in the SCORM package import handler of Frappe LMS. SCORM content is distributed as ZIP archives containing HTML, JavaScript, and metadata. The LMS extracts these archives to a server-side directory to make the course content accessible to learners. The handler in versions 2.50.0 and below fails to validate or sanitize file paths inside the archive before extraction. An attacker crafting a ZIP entry with traversal sequences such as ../../ can direct the extractor to write outside the intended SCORM directory. This is a classic Zip Slip pattern, classified as [CWE-22].

Root Cause

The extraction routine concatenates archive entry names with the destination directory without normalizing the resulting path or verifying that it remains within the target. Standard library ZIP extractors preserve entry names verbatim. Without explicit validation, relative path segments resolve outside the upload root and overwrite or create files in arbitrary writable locations on the filesystem.

Attack Vector

The attack requires an account with the course editor role, satisfying the low-privilege precondition. The attacker builds a SCORM-shaped ZIP archive containing entries whose names embed ../ sequences targeting writable paths such as application source directories, scheduler hooks, or web-accessible static folders. The attacker uploads the archive through the standard SCORM import interface. When the server extracts the archive, attacker-controlled files land outside the SCORM sandbox. Writing to a Python module loaded by the Frappe worker or to a public assets directory can yield remote code execution or stored cross-site scripting against learners and administrators. See GitHub Security Advisory GHSA-mxh7-g3r7-g96h for vendor details.

Detection Methods for CVE-2026-39405

Indicators of Compromise

• SCORM ZIP uploads containing archive entries with ../ or absolute path prefixes in their filenames.
• Files appearing outside the configured SCORM content directory with recent modification timestamps matching upload events.
• Unexpected .py, .html, or hook files written under the Frappe apps/ or sites/ directories shortly after a course editor session.
• Web access logs showing course editor accounts hitting the SCORM import endpoint followed by anomalous requests to newly created paths.

Detection Strategies

• Inspect ZIP archive contents before extraction and reject any entry whose normalized path escapes the destination directory.
• Compare the post-extraction filesystem state against an allowlist of expected SCORM directories and flag deviations.
• Hunt for process executions spawned by the Frappe worker user that originate from files written into non-standard locations.
• Correlate course editor role assignments with SCORM upload activity to surface anomalous editors.

Monitoring Recommendations

• Enable file integrity monitoring on Frappe apps/, sites/, and any web-served static directories.
• Log and retain all SCORM upload events with the uploading user, archive hash, and resulting file paths.
• Alert on writes to Python source files, hook configuration files, or .htaccess-style files outside expected deployment workflows.

How to Mitigate CVE-2026-39405

Immediate Actions Required

• Upgrade Frappe LMS to version 2.50.1 or later, available at the Frappe LMS v2.50.1 release.
• Audit accounts holding the course editor role and remove the privilege from users who do not require SCORM import capability.
• Review filesystem locations outside the SCORM content directory for files created since SCORM uploads were first enabled.
• Rotate any secrets, API keys, or credentials stored on the LMS host if unauthorized file writes are detected.

Patch Information

Frappe released the fix in Frappe LMS v2.50.1. The patch adds validation of archive entry paths during SCORM extraction so that entries resolving outside the target directory are rejected. Administrators should pull the updated container image or git tag and restart Frappe workers after upgrading. Vendor remediation details are documented in GitHub Security Advisory GHSA-mxh7-g3r7-g96h.

Workarounds

• Temporarily disable SCORM uploads at the application or reverse proxy layer until the upgrade is applied.
• Restrict the course editor role to a small set of trusted administrators while the system remains on a vulnerable version.
• Run the Frappe worker under a least-privileged system account with read-only access to application source directories.

# Configuration example: upgrade Frappe LMS to the patched version
bench get-app --branch main lms https://github.com/frappe/lms
bench --site <your-site> install-app lms
bench update --apps lms
bench --site <your-site> migrate
bench restart