CVE-2025-66581: Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0,
mediumvulnerability
security
Summary
Frappe Learning Management System (LMS) had a vulnerability in versions before 2.41.0 where the server did not properly check user permissions, allowing low-privileged users like students to perform actions meant only for instructors or administrators by directly accessing the API (the interface that lets software communicate with other software). The flaw existed because permission checks only happened on the client side or in the user interface rather than on the server, which is easier to bypass.
Solution / Mitigation
Update to version 2.41.0 or later, where this vulnerability is fixed.
Vulnerability Details
CVSS Score
6.5(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack SophisticationModerate
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-66581
First tracked: February 15, 2026 at 08:37 PM
Classified by LLM (prompt v3) · confidence: 85%