7.1

CVE-2026-32894

Exploit
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ChamiloChamilo Lms Version < 1.11.38
ChamiloChamilo Lms Version2.0.0 Updatealpha1
ChamiloChamilo Lms Version2.0.0 Updatealpha2
ChamiloChamilo Lms Version2.0.0 Updatealpha3
ChamiloChamilo Lms Version2.0.0 Updatealpha4
ChamiloChamilo Lms Version2.0.0 Updatealpha5
ChamiloChamilo Lms Version2.0.0 Updatebeta1
ChamiloChamilo Lms Version2.0.0 Updatebeta2
ChamiloChamilo Lms Version2.0.0 Updatebeta3
ChamiloChamilo Lms Version2.0.0 Updaterc1
ChamiloChamilo Lms Version2.0.0 Updaterc2
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.082
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 7.1 2.8 4.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.