PT-2026-32939

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/id endpoint allows any authenticated user with ROLE STUDENT to escalate their privileges to ROLE ADMIN by modifying the roles field...

CVE-2026-40188

goshs is a Go-based SimpleHTTPServer. From 1.0.7 to before 2.0.0-beta.4, the SFTP rename logic sanitizes only the source path, not the destination, allowing writes outside the root directory of the SFTP. This could enable writing outside the intended sandbox. The issue is fixed in 2.0.0-beta.4 . ...

CVE-2026-33703

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

CVE-2026-33141

Chamilo LMS contains an IDOR in the REST API stats endpoint (CVE-2026-33141). Prior to version 2.0.0-RC.3, any authenticated user (including ROLE_USER) could read another user’s learning progress, certificates, and gradebook scores for any course without enrollment or supervisory relationship. Th...

PT-2026-32012

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3 Description Chamilo LMS, a learning management system, contains an Insecure Direct Object Reference IDOR vulnerability in the REST API stats endpoint. This allows any authenticated user, even those with...

WordPress Weather Atlas Widget Plugin <= 1.2.1 is vulnerable to Cross Site Scripting (XSS)

Software Weather Atlas Widget Type Plugin Vulnerable versions = 1.2.1 Fixed in 2.0.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-5163 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 53d44a1617c5 Credits István Márton...