CVE-2026-32930

HIGH

Chamilo LMS Gradebook Evaluations - Insecure Direct Object Reference

Title source: manual

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6

X_Refsource_Misc x_refsource_misc

https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d

View Writeup ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0019

EPSS Percentile 9.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (4)

chamilo/chamilo-lms < 1.11.38

chamilo/chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3

chamilo/chamilo_lms 2.0.0 alpha1 (10 CPE variants)

chamilo/chamilo_lms < 1.11.38

Published Apr 10, 2026

Tracked Since Apr 11, 2026