CVE-2026-32930

EUVD-2026-21529
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
chamilochamilo_lms
𝑥
< 1.11.38
chamilochamilo_lms
2.0.0:alpha1
chamilochamilo_lms
2.0.0:alpha2
chamilochamilo_lms
2.0.0:alpha3
chamilochamilo_lms
2.0.0:alpha4
chamilochamilo_lms
2.0.0:alpha5
chamilochamilo_lms
2.0.0:beta1
chamilochamilo_lms
2.0.0:beta2
chamilochamilo_lms
2.0.0:beta3
chamilochamilo_lms
2.0.0:rc1
chamilochamilo_lms
2.0.0:rc2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd
https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6