CVE-2026-1106 | Chamilo LMS up to 2.0.0 Beta 1 Legal Consent SocialController.php deleteLegal userId improper authorization

A vulnerability classified as critical has been found in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization.

This vulnerability is reported as CVE-2026-1106. The attack is possible to be carried out remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-1106 | Chamilo LMS up to 2.0.0 Beta 1 Legal Consent SocialController.php deleteLegal userId improper authorization

Post correlati

CVE-2020-35546 | Lexmark MX6500 up to LW75.JD.P296 Access Control Settings access control

CVE-2025-43722 | Dell PowerScale OneFS up to 9.12.0.0 privileges management (dsa-2025-319)

CVE-2025-1610 | LB-LINK AC1900 Router 1.0.2 /goform/set_blacklist websGetVar mac/enable os command injection

CVE-2024-31444 | Cacti up to 1.2.26 automation_tree_rules.php automation_tree_rules_form_save cross site scripting