PT-2026-30417

A flaw has been found in Campcodes Complete Online Learning Management System 1.0. This impacts the function add lesson of the file /application/models/Crud model.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and...

CVE-2026-34606

Frappe Learning Management System LMS is a learning system that helps users structure their content. From version 2.27.0 to before version 2.48.0, Frappe LMS was vulnerable to stored XSS. This issue has been patched in version 2.48.0...

WordPress Masteriyo LMS plugin <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator vulnerability

Missing Authorization to Authenticated Student+ Privilege Escalation to Administrator vulnerability discovered by Hunter Jensen skid in WordPress Plugin Masteriyo - LMS versions = 2.1.6...

CVE-2026-31914

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through = 3.2.26...

PT-2026-28044

Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through = 1.1.18...

CVE-2026-4573

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/formhandlers/deletepost.php of the component HTTP GET Parameter Handler. The manipulation of the argument postid leads to sql injection. It is possible to...

CVE-2026-4574

A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of the component User Profile Update Handler. The manipulation of the argument firstName results in sql injection. It is possible to launch the attack remotely. The exploit is now...

CVE-2026-4574 SourceCodester Simple E-learning System User Profile Update sql injection

A vulnerability was detected in SourceCodester Simple E-learning System 1.0. This vulnerability affects unknown code of the component User Profile Update Handler. The manipulation of the argument firstName results in sql injection. It is possible to launch the attack remotely. The exploit is now...

CVE-2026-4573 SourceCodester Simple E-learning System HTTP GET Parameter delete_post.php sql injection

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/formhandlers/deletepost.php of the component HTTP GET Parameter Handler. The manipulation of the argument postid leads to sql injection. It is possible to...

CVE-2026-4573

A security vulnerability has been detected in SourceCodester Simple E-learning System 1.0. This affects an unknown part of the file /includes/formhandlers/deletepost.php of the component HTTP GET Parameter Handler. The manipulation of the argument postid leads to sql injection. It is possible to...

PT-2026-27051

Name of the Vulnerable Software and Affected Versions SourceCodester Simple E-learning System version 1.0 Description A SQL injection issue exists in the User Profile Update Handler component. The manipulation of the firstName argument can lead to SQL injection. The exploit is publicly available...

PT-2026-27050

Name of the Vulnerable Software and Affected Versions SourceCodester Simple E-learning System version 1.0 Description A security issue exists in SourceCodester Simple E-learning System 1.0. The issue is related to SQL injection within the /includes/form handlers/delete post.php file, specifically...

CVE-2026-30881

Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters datestart and dateend from $REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escapestrin...

CVE-2026-30882

Chamilo LMS (versions ...). The issue is triggered when pagination controls render (more than 20 session categories). A fix is available in version 1.11.36, which patches this vulnerability. If you cannot upgrade, apply an input sanitization/encoding workaround for the affected parameter and revi...

EUVD-2026-12498

Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36...

CVE-2026-28430 Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php

Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...

PT-2026-25807

Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting XSS vulnerability in the session category listing page. The keyword parameter from $ REQUEST is echoed directly into an HTML href attribute without any encoding or...

CVE-2025-59540

CVE-2025-59540 affects Chamilo LMS prior to version 1.11.34. A stored cross-site scripting (XSS) vulnerability exists in the feedback input on the exercise history page, where unencoded input can be stored in the database and later rendered, enabling arbitrary JavaScript execution in the browser ...

PT-2026-23631

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34 Description Chamilo is a learning management system with a stored cross-site scripting XSS issue. The issue exists in the platform’s social network and internal messaging features. An attacker can inject...

CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files

Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...