Three LMS Flaws Expose Databases and Enable Command Injection
CERT Polska disclosed three vulnerabilities in LMS (LAN Management System), including two high-severity issues tracked as CVE-2026-40455 and CVE-2026-40456. The first is an authenticated SQL injection in tarifflist.php before commit 4cb30a7, caused by insufficient sanitization of the POST tg[] parameter and unsafe query construction with implode(), allowing attackers to extract sensitive database information. The second is an OS command injection before commit 9fcb4de, where an IP address parameter is passed to exec() without proper validation, enabling arbitrary operating system command execution.
CERT Polska also reported CVE-2026-40457, a reflected XSS flaw in dbrecover.php and netremap.php before commit 9c5651b that can trigger arbitrary JavaScript execution when an authenticated user opens a crafted link under certain conditions. The SQL injection and command injection bugs were both rated High with CVSS 4.0 base scores of 8.6, and the disclosure credited Tymoteusz Dominik for responsibly reporting the issues. Organizations running LMS versions prior to the referenced commits should prioritize patching and review exposure of authenticated administrative functions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-40456 is published as a high-severity LMS command injection
On 2026-06-18, CVE-2026-40456 was published for an OS command injection in LMS before commit 9fcb4de. The issue stems from passing an IP address parameter to exec() without proper validation, enabling arbitrary operating system command execution.
CVE-2026-40455 is published as a high-severity LMS SQL injection
On 2026-06-18, CVE-2026-40455 was published for an authenticated SQL injection in LMS before commit 4cb30a7. The flaw affects tarifflist.php through insufficient sanitization of the POST tg[] parameter and can expose sensitive database information.
CERT Polska publishes coordinated disclosure for LMS vulnerabilities
On 2026-06-18, CERT Polska published a coordinated disclosure covering three LMS vulnerabilities: CVE-2026-40455, CVE-2026-40456, and CVE-2026-40457. The disclosure described an authenticated SQL injection in tarifflist.php, an OS command injection tied to unsafe use of an IP address parameter in exec(), and a reflected XSS in dbrecover.php and netremap.php.
Researcher responsibly reports three LMS vulnerabilities to CERT Polska
CERT Polska credited Tymoteusz Dominik for responsibly reporting three vulnerabilities affecting LMS (LAN Management System): SQL injection, OS command injection, and reflected XSS. The source does not provide a specific date for when the report was made.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40455 - SQL Injection in LMS
cvefeed.io
Open sourceCVE-2026-40456 - OS Command Injection in LMS
cvefeed.io
Open sourceVulnerabilities in LMS software | CERT Polska
cert.pl
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chamilo LMS Flaws Enable Unauthenticated RCE and Arbitrary File Deletion
Chamilo LMS disclosed two high-severity vulnerabilities affecting versions prior to **1.11.38**, including **CVE-2026-33698**, an unauthenticated remote code execution issue tied to the `main/install/` directory, and **CVE-2026-31939**, a path traversal flaw in `main/exercise/savescores.php` that can be abused for arbitrary file deletion. The RCE issue stems from a chained attack that can re-enable otherwise blocked PHP execution in the installer path; if `main/install/` remains present and readable, an attacker can modify existing files or create new ones within the permissions of the web server. The second flaw allows user-controlled input from `$_REQUEST['test']` to be concatenated into a filesystem path without proper canonicalization or traversal checks, enabling deletion of arbitrary files with low attack complexity. The vulnerabilities were classified under **CWE-552**, **CWE-22**, and **CWE-73**, and both were addressed in **Chamilo LMS 1.11.38** through vendor patches and a coordinated GitHub security advisory, making upgrade and removal or restriction of exposed installer files an urgent priority for affected deployments.
May 24, 2026
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
Mar 21, 2026
Unauthenticated SQL Injection Flaws Expose Data in CMSsite and XATABoost CMS
Two content management systems were identified with **unauthenticated SQL injection** vulnerabilities that allow remote attackers to tamper with backend database queries and extract sensitive information. `CVE-2019-25697` affects **CMSsite 1.0**, where the `cat_id` parameter in `category.php` can be abused through crafted `GET` requests, potentially exposing usernames, credentials, and other database contents. A separate flaw, `CVE-2018-25300`, affects **XATABoost CMS 1.0.0** through a **union-based SQL injection** in the `id` parameter of `news.php`, also reachable remotely without authentication via crafted `GET` requests. Both records were published with **CWE-89** classification, CVSS v3.1 and v4.0 scoring data, and references to public advisories and exploit resources, underscoring the risk of database compromise in internet-exposed deployments.
Apr 29, 2026