CVE-2025-66581

Name of the Vulnerable Software and Affected Versions Frappe Learning Management System (LMS) versions prior to 2.41.0

Description A flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. The affected endpoints relied on client-side or UI-level checks instead of enforcing permissions on the server, enabling users with low-privileged roles, such as students, to perform operations intended only for instructors or administrators by directly using the API's.

Recommendations Update to version 2.41.0 or later.