Zero Day MonitorZDM

← Back to list

7.1

CVE-2026-32894EXPLOITED

chamilo · chamilo-lms

Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	< 1.11.38, >= 2.0.0-alpha.1, < 2.0.0-RC.3, < 1.11.37, < 2.0.0-RC.2

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-32894 | Chamilo LMS up to 1.11.37/2.0.0-RC.2 delete_mark/resultdelete null pointer dereference (GHSA-rqpg-p95v-fv98)

→ No new info (linked only)

CVSS 3.17.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-476, CWE-639

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33704EXP

Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint

CRITICALCVE-2026-33706EXP

Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

CRITICALCVE-2026-31939EXP

Path Traversal (Arbitrary File Delete) in Chamilo LMS

CRITICALCVE-2026-32931EXP

Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

CRITICALCVE-2026-31940EXP

Session Fixation in Chamilo LMS

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include < 1.11.37 and < 2.0.0-RC.2, changed severity to CRITICAL, and marked the vulnerability as actively exploited.

affectedVersionsseverityactivelyExploited

via VulDB

v14h ago

Initial creation