CVE-2026-46546 Overview
CVE-2026-46546 affects Frappe Learning Management System (LMS), an open-source platform used to structure and deliver educational content. Versions prior to 2.53.0 contain an input validation flaw in user-editable fields that feed page metadata. An authenticated attacker can supply specially crafted content that, when rendered in metadata, causes visitor browsers to navigate to an attacker-chosen URL. The maintainers patched the issue in version 2.53.0. The flaw is classified under CWE-74, Improper Neutralization of Special Elements in Output.
Critical Impact
Authenticated attackers can redirect site visitors to attacker-controlled URLs via injected page metadata, enabling phishing and credential theft campaigns against LMS users.
Affected Products
- Frappe Learning Management System (LMS) versions prior to 2.53.0
- Self-hosted Frappe LMS deployments using vulnerable releases
- Hosted Frappe LMS instances not yet updated to 2.53.0
Discovery Timeline
- 2026-06-10 - CVE-2026-46546 published to the National Vulnerability Database
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46546
Vulnerability Analysis
The vulnerability stems from insufficient neutralization of user-supplied content in fields that are later surfaced in page metadata. Frappe LMS accepts content from authenticated users in editable fields such as course descriptions and profile data. When this content is reflected in metadata tags rendered to visiting browsers, crafted payloads can trigger navigation to an external URL.
The issue requires low privileges and user interaction, and the attack delivery is network-based. The Exploit Prediction Scoring System (EPSS) places exploitation likelihood at a low value, and no public exploit or in-the-wild activity has been reported.
Root Cause
The root cause is improper neutralization of special elements within output, mapped to [CWE-74]. Frappe LMS did not adequately sanitize or constrain user-controlled strings before including them in HTML metadata rendered to clients. This allowed an authenticated user to control redirection behavior triggered through metadata processing in visitor browsers.
Attack Vector
An authenticated attacker with permissions to edit content in affected fields injects a crafted payload. The payload remains stored within the application. When other users browse pages whose metadata is generated from that field, their browsers follow navigation to an attacker-controlled destination. This pattern enables phishing pages and credential harvesting workflows hosted on external domains.
No verified proof-of-concept code is available. Refer to the GitHub Security Advisory GHSA-2x47-gr9q-w6fv for vendor-supplied technical details.
Detection Methods for CVE-2026-46546
Indicators of Compromise
- Outbound HTTP redirects from LMS pages to domains unrelated to the deployment
- Unexpected URL strings stored in LMS user profile, course, or lesson fields
- Visitor session logs showing navigation away from LMS pages immediately after metadata load
Detection Strategies
- Review database fields that feed page metadata for embedded URLs or HTML-encoded payloads
- Inspect web server access logs for referrer chains where LMS pages precede unexpected external destinations
- Audit recent content edits by low-privilege accounts on Frappe LMS instances running versions below 2.53.0
Monitoring Recommendations
- Alert on additions or modifications to LMS content fields containing URL schemes such as http://, https://, or data:
- Track HTTP referrer patterns from LMS pages to identify anomalous redirect destinations
- Monitor authentication and content-edit events from LMS user accounts that rarely create or modify content
How to Mitigate CVE-2026-46546
Immediate Actions Required
- Upgrade Frappe LMS to version 2.53.0 or later across all environments
- Audit user-editable content fields for previously injected payloads and remove any malicious values
- Review user accounts with content-editing privileges and remove unnecessary access
Patch Information
Frappe published the fix in version 2.53.0 of the LMS project. Administrators should follow the upgrade instructions in the Frappe LMS security advisory and validate that the running version reports 2.53.0 or higher after deployment.
Workarounds
- Restrict content-edit permissions to trusted administrators until the upgrade completes
- Apply web application firewall rules to block URL schemes within metadata-bound fields
- Disable public registration on the LMS instance to reduce the pool of authenticated attackers
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
