CVE-2026-6965 Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the getcourseidby function unconditionally trusting the user-supplied course GET parameter as the authoritative course ...

CVE-2026-32930 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings name, max score, weight of evaluations belonging to any other...

WordPress plugin Masteriyo LMS – Online Course Builder for eLearning, LMS & Education 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added to a...

EUVD-2026-12745

mdjnelson/moodle-modcustomcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds mod/customcert:manage in any single course can read and silently overwrite certificate elements...

CVE-2026-30884 mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key

mdjnelson/moodle-modcustomcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds mod/customcert:manage in any single course can read and silently overwrite certificate elements...

PT-2026-26023

mdjnelson/moodle-mod customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds mod/customcert:manage in any single course can read and silently overwrite certificate element...

CVE-2026-2997 WisdomGarden｜Tronclass - Insecure Direct Object Reference

Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any course...

CVE-2016-10400

Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/core/courses/users/createcourse.php. The attacker can read an arbitrary file by visiting getcourseicon.php?id= after the traversal attack...

EUVD-2025-203830

The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able t...

UBUNTU-CVE-2025-62393

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details...

CVE-2025-62393 Moodle: course access permissions not properly checked in course_output_fragment_course_overview

A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details...

Moodle Multiple Vulnerabilities (MSA-25-0041, MSA-25-0046)

Moodle is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:moodle:moodle"; ifdescription...

EUVD-2022-3502

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-25701

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable th...

CVE-2025-3640

CVE-2025-3640 describes an IDOR in Moodle’s web service: users enrolled in a course can access other users’ details (e.g., full name and profile image URL) due to insufficient capability checks. The connected documents (BIT-MOODLE-2025-3640, OSV:GHSA-6G5X-H5X7-Q4MQ, OSV/CIRCL sightings, CNVD) con...

SUSE CVE-2016-5014

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course...

Moodle Information Disclosure Vulnerability (CNVD-2021-28716)

Moodle is a free, open-source e-learning software platform, also known as a course management system, learning management system or virtual learning environment. A security vulnerability exists in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17, which stems from a failure to validate that a requesting...

Privilege Escalation

moodle/moodle is vulnerable to privilege escalation. The vulnerability exists when an enrollment method that did not exist, or was disabled, would be enabled if it was deleted, allowing unintended users access to the course...

CVE-2016-5014

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course...

CVE-2016-5014

In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course...