{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32894", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-04-10T17:44:24.994Z", "dateUpdated": "2026-04-13T15:36:28.238Z"}, "containers": {"cna": {"title": "Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:44:24.994Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "source": {"advisory": "GHSA-rqpg-p95v-fv98", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:29.597656Z", "id": "CVE-2026-32894", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:36:28.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32894", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:29.597656Z"}}}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:24:22.702Z"}}], "cna": {"title": "Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result", "source": {"advisory": "GHSA-rqpg-p95v-fv98", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151", "name": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519", "name": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:44:24.994Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32894", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:36:28.238Z", "dateReserved": "2026-03-16T21:03:44.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:44:24.994Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "id": "CVE-2026-32894", "lastModified": "2026-04-17T21:28:56.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T18:16:42.117", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-alpha.1,2.0.0-RC.3)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T19:24:10.111418+00:00", "value": {"mitigation_remediation": ["Upgrade Chamilo LMS to version 1.11.38 or later, or to 2.0.0\u2011RC.3 or later, if you are still using an earlier release.", "Verify that the gradebook result view no longer accepts arbitrary student identifiers and that teachers cannot delete grades from other courses.", "Check the Chamilo project website or security advisories for additional patches or updates that address related issues."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Grade Deletion"}, "threat_synthesis": {"affected_systems": "The defect is present in versions of Chamilo LMS older than 1.11.38 and 2.0.0\u2011RC.3. Users running these legacy releases need to review their deployment and verify whether the gradebook module has been affected.", "description_and_impact": "An insecure direct object reference in the gradebook result view page allows an authenticated teacher to delete any student\u2019s grade record by manipulating the delete_mark or resultdelete GET parameters. Because the application performs no ownership or course\u2011scope verification, the deletion can target any user across all courses, compromising the integrity of the grading system. The vulnerability is rooted in improper null reference handling (CWE\u2011476) and lack of authorization checks (CWE\u2011639). Any successful exploitation results in permanent removal of grade data, which can affect academic assessment and reporting.", "risk_and_exploitability": "With a CVSS score of 7.1 the vulnerability is classified as high severity. While an EPSS score is not reported, the attack requires only that the actor be a logged\u2011in teacher with the ability to edit URLs, a common role in organizations using Chamilo. The exploit is straightforward, involving a simple GET request modification, and does not depend on advanced techniques, making it likely to be used by malicious insiders or compromised teacher accounts."}}}}, "created": "2026-04-13T12:43:37.302171+00:00", "updated": "2026-04-13T13:00:00.117885+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}