Lucene search
K

21929 matches found

Cvelist
Cvelist
added 2026/04/11 1:25 a.m.30 views

CVE-2026-3371 Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the savecoursecontentorder private method, which is called unconditionally by the...

4.3CVSS0.00358EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/11 1:25 a.m.5 views

EUVD-2026-21615

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the savecoursecontentorder private method, which is called unconditionally by the...

4.3CVSS5.8AI score0.00358EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/11 12:0 a.m.3 views

PT-2026-32085

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the save course content order private method, which is called unconditionally by...

4.3CVSS5.8AI score0.00358EPSS
Exploits0References6
OSV
OSV
added 2026/04/10 9:16 p.m.1 views

CGA-3X3M-J3X7-3F6W

Bulletin has no description...

6.4CVSS5.7AI score0.00292EPSS
Exploits0
NVD
NVD
added 2026/04/10 7:16 p.m.7 views

CVE-2026-33702

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference IDOR vulnerability in the Learning Path progress saving endpoint. The file lpajaxsaveitem.php accepts a uid user ID parameter directly from $REQUEST and uses it t...

7.1CVSS0.00238EPSS
Exploits0References3
NVD
NVD
added 2026/04/10 7:16 p.m.6 views

CVE-2026-33703

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

7.1CVSS0.00174EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/10 7:3 p.m.2 views

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS5.8AI score0.00209EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/10 7:3 p.m.18 views

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

6.5CVSS0.00209EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/10 6:31 p.m.8 views

ch.cern:cerndb-sw-zkpolicy (=1.0.1-21), cloud.metaapi.sdk:metaapi-common-java (>=1.0.0 <=1.0.1) +258 more potentially affected by CVE-2026-34478 via org.apache.logging.log4j:log4j-core (>=3.0.0-beta1 <=3.0.0-beta3)

org.apache.logging.log4j:log4j-core MAVEN version =3.0.0-beta1, =1.0.0, =0.0.2, =00.00.03, =1.0.6, =1.0.7, =1.0.0, =2.0.21, =1.0, =1.0.2 - com.frostphyr:customappender =1.1.0 and more Source cves: CVE-2026-34478 Source advisory: OSV:GHSA-445C-VH5M-36RJ...

7.5CVSS6.5AI score0.00831EPSS
Exploits0
EUVD
EUVD
added 2026/04/10 6:23 p.m.5 views

EUVD-2026-21543

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

7.1CVSS6AI score0.00174EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/10 6:23 p.m.17 views

CVE-2026-33703 Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

7.1CVSS0.00174EPSS
Exploits0References1
CVE
CVE
added 2026/04/10 6:23 p.m.21 views

CVE-2026-33703

CVE-2026-33703 affects Chamilo LMS prior to version 2.0.0-RC.3. An Insecure Direct Object Reference (IDOR) vulnerability exists in the /social-network/personal-data/{userId} endpoint, allowing any authenticated user to access full personal data and API tokens of arbitrary users by altering the us...

7.1CVSS6AI score0.00174EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/10 6:23 p.m.5 views

CVE-2026-33703

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

7.1CVSS6AI score0.00174EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/04/10 6:16 p.m.4 views

CVE-2026-32930

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings name, max score, weight of evaluations belonging to any other...

7.1CVSS0.00193EPSS
Exploits0References3
NVD
NVD
added 2026/04/10 6:16 p.m.3 views

CVE-2026-33141

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the REST API stats endpoint allows any authenticated user including low-privilege students with ROLEUSER to read any other user's learning progress, certificates, and...

6.5CVSS0.00141EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/10 6:15 p.m.3 views

CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR)

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference IDOR vulnerability in the Learning Path progress saving endpoint. The file lpajaxsaveitem.php accepts a uid user ID parameter directly from $REQUEST and uses it t...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/10 6:15 p.m.19 views

CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR)

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference IDOR vulnerability in the Learning Path progress saving endpoint. The file lpajaxsaveitem.php accepts a uid user ID parameter directly from $REQUEST and uses it t...

7.1CVSS0.00238EPSS
Exploits0References3
CVE
CVE
added 2026/04/10 6:15 p.m.15 views

CVE-2026-33702

Chamilo LMS before 1.11.38 and 2.0.0-RC.3 contains an IDOR in lp_ajax_save_item.php where a uid is read from $_REQUEST and used to load/modify another user’s Learning Path progress (score, status, completion, time) without verifying the requester’s identity. Any authenticated course-enrolled user...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/10 6:15 p.m.4 views

CVE-2026-33702

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference IDOR vulnerability in the Learning Path progress saving endpoint. The file lpajaxsaveitem.php accepts a uid user ID parameter directly from $REQUEST and uses it t...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2026/04/10 6:1 p.m.3 views

EUVD-2026-21535

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the REST API stats endpoint allows any authenticated user including low-privilege students with ROLEUSER to read any other user's learning progress, certificates, and...

6.5CVSS5.8AI score0.00141EPSS
Exploits0References2
Rows per page
Query Builder