CVE-2026-32894 | THREATINT

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

PUBLISHED Reserved 2026-03-16 | Published 2026-04-10 | Updated 2026-04-13 | Assigner GitHub_M

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Problem types

CWE-476: NULL Pointer Dereference

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

< 1.11.38

affected

>= 2.0.0-alpha.1, < 2.0.0-RC.3

affected

References

github.com/...lo-lms/security/advisories/GHSA-rqpg-p95v-fv98 exploit

github.com/...lo-lms/security/advisories/GHSA-rqpg-p95v-fv98

github.com/...ommit/3b03306d1a0301a81b9284e86893b27f518ab151

github.com/...ommit/740f5a6e192a52a3adde3c3241c86401b1d2c519

cve.org (CVE-2026-32894)

nvd.nist.gov (CVE-2026-32894)

Download JSON