Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

INFO

Published Date :

2026-04-10T17:44:24.994Z

Last Modified :

2026-04-13T15:36:28.238Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32894 vulnerability.

Vendors Products
Chamilo
  • Chamilo Lms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32894.

URL Resource
https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact