{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39415", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T00:23:30.595Z", "datePublished": "2026-04-08T20:07:45.729Z", "dateUpdated": "2026-04-09T13:52:12.103Z"}, "containers": {"cna": {"title": "Frappe Learning Management System has Client-Side Manipulation of Quiz Scores", "problemTypes": [{"descriptions": [{"cweId": "CWE-602", "lang": "en", "description": "CWE-602: Client-Side Enforcement of Server-Side Security", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx"}], "affected": [{"vendor": "frappe", "product": "lms", "versions": [{"version": "< 2.46.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:07:45.729Z"}, "descriptions": [{"lang": "en", "value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users\u2019 data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0."}], "source": {"advisory": "GHSA-9573-68xq-hwrx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T13:52:03.840230Z", "id": "CVE-2026-39415", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:52:12.103Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39415", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T13:52:03.840230Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T13:52:08.063Z"}}], "cna": {"title": "Frappe Learning Management System has Client-Side Manipulation of Quiz Scores", "source": {"advisory": "GHSA-9573-68xq-hwrx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "frappe", "product": "lms", "versions": [{"status": "affected", "version": "< 2.46.0"}]}], "references": [{"url": "https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx", "name": "https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users\u2019 data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-602", "description": "CWE-602: Client-Side Enforcement of Server-Side Security"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:07:45.729Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39415", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:52:12.103Z", "dateReserved": "2026-04-07T00:23:30.595Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T20:07:45.729Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.46.0, a vulnerability has been identified in Frappe Learning where quiz scores can be modified by students before submission. The application currently relies on client-side calculated scores, which can be altered using browser developer tools prior to sending the submission request. While this does not allow modification of other users\u2019 data or privilege escalation, it compromises the integrity of quiz results and undermines academic reliability. This issue affects data integrity but does not expose confidential information or allow unauthorized access to other accounts. This vulnerability is fixed in 2.46.0."}], "id": "CVE-2026-39415", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:16:59.033", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/frappe/lms/security/advisories/GHSA-9573-68xq-hwrx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-602"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.46.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "lms", "source": "cna", "vendor": "frappe"}, "product": "lms", "vendor": "frappe"}], "analysis": {"en": {"generated_at": "2026-04-08T21:24:09.415633+00:00", "value": {"mitigation_remediation": ["Upgrade Frappe LMS to version 2.46.0 or later."], "summary": {"action": "Update", "impact": "Data Integrity \u2013 Students can modify quiz scores before submission"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Frappe Learning Management System versions earlier than 2.46.0. Users running the cataloged LMS without an upgrade to the patched release are susceptible. No other vendors or products are affected.", "description_and_impact": "A flaw in the client\u2011side score calculation allows a user to alter the displayed score with browser developer tools before the quiz result is submitted. The altered score is accepted by the server, so the final record for that quiz contains the malicious value. The vulnerability does not permit access to other users\u2019 data or raise privileges; it only undermines the accuracy of a single student\u2019s results and weakens the overall academic reliability of the system.", "risk_and_exploitability": "The CVSS score of 5.3 denotes moderate overall risk. Exploitation requires only the ability to open a quiz page in a browser. An attacker can alter the score locally with minimal effort, so the likelihood of abuse among active users is high, though it does not grant any additional access or compromise confidential data. The vulnerability is not listed in the CISA KEV catalog, and no EPSS score is available, indicating limited public exploitation data but a realistic threat in environments where academic integrity matters."}}}}, "created": "2026-04-09T08:18:05.287642+00:00", "updated": "2026-04-09T08:27:27.907375+00:00", "vendors": ["frappe", "frappe$PRODUCT$lms"]}