CVE-2026-32894 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the deletemark or...

PT-2026-26023

mdjnelson/moodle-mod customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds mod/customcert:manage in any single course can read and silently overwrite certificate element...

CVE-2025-52482

Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30...

CVE-2025-14802

The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/fileid REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the...

CVE-2025-1668

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

CVE-2025-14802

CVE-2025-14802 affects LearnPress – WordPress LMS Plugin for Create and Sell Online Courses. The vulnerability is an insecure direct object reference via the REST DELETE endpoint /wp-json/lp/v1/material/{file_id}. The permission check uses item_id from the request body, while the endpoint consume...

PT-2026-1581

Name of the Vulnerable Software and Affected Versions LearnPress – WordPress LMS Plugin for WordPress versions up to and including 4.3.2.2 Description The LearnPress – WordPress LMS Plugin for WordPress is susceptible to unauthorized file deletion. This is caused by a discrepancy in parameter...

ClassroomIO.com 安全漏洞

ClassroomIO.com is an educational platform open-sourced by ClassroomIO. A security vulnerability exists in ClassroomIO.com version 0.1.13, which stems from an insecure direct object reference that could lead to a student accessing a sensitive administrator or teacher endpoint by manipulating the...

EUVD-2025-6559

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2017-12157

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Moodle 3.x, various course reports allow teachers to view details about users in the groups they can't access. CVE-2017-12157 Note that Nessus relies on the...

Linux Distros Unpatched Vulnerability : CVE-2021-40692

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient capability checks made it possible for teachers to download users outside of their courses. CVE-2021-40692 Note that Nessus relies on the presence ...

Linux Distros Unpatched Vulnerability : CVE-2023-28330

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and...

CVE-2004-2234

Unknown vulnerability in Moodle before 1.2 allows teachers to log in as administrators...

CVE-2024-8009 Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure

The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page...

Arbitrary Code Injection

Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Arbitrary Code Injection via the Moodle LMS Dropbox repository. An attacker can execute arbitrary code by exploiting insufficient input validation and code sanitization mechanisms. Note: This is onl...

CVE-2025-1669

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'addNotify' action in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2025-1668

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

Unifiedtransform 安全漏洞

Unifiedtransform is an open source school management software from the individual developer Hasib Mahmud. A security vulnerability exists in Unifiedtransform version 2.0 and prior versions that stems from a functional-level access control vulnerability that allows teachers to modify personal...

PT-2024-17537 · Unknown · Unifiedtransform

Name of the Vulnerable Software and Affected Versions: Unifiedtransform versions 2.0 and earlier Description: A function-level access control issue exists due to missing access control checks in the student editing functionality, allowing teachers to modify student personal data without proper...

UBUNTU-CVE-2023-5539

A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers...