CVE-2026-32894
published 2026-04-10CVE-2026-32894: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result…
PriorityP340high7.1CVSS 3.1
AVNACLPRLUINSUCNIHAL
EPSS
0.28%
19.7th percentile
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chamilo | chamilo-lms | < 1.11.38 | 1.11.38 |
| chamilo | chamilo-lms | — | — |
| chamilo | chamilo_lms | < 1.11.38 | 1.11.38 |
| chamilo | chamilo_lms | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98
2026-04-10
Published