CVE-2026-12789 | A vulnerability was identified in ILIAS Learning Management … | CVSS 4.7 MEDIUM

Description

A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument troup_table_nav leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Metadata

CVE ID: CVE-2026-12789
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-20 10:03 UTC
Published: 2026-06-21 08:00 UTC
Last updated: 2026-06-21 08:00 UTC
Primary CWE: CWE-89
SQL Injection
Vendor / Product: ILIAS / Learning Management System
Sources: cve.org · NVD

Severity & Metrics

4.7 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
ILIAS	Learning Management System	—	11.0

Weakness (CWE)

CWE	Source	Description
CWE-74	cna	Injection
CWE-89	cna	SQL Injection

CVSS scores (4)

Score	Severity	Version	Source	Vector
5.8	N/D	2.0	cna	AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
4.7	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
4.7	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

References (4)

VDB-372531 | ILIAS Learning Management System Learning Progress Tracking class.ilTrQuery.php executeQueries sql injection https://vuldb.com/vuln/372531
VDB-372531 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/372531/cti
CVE-2026-12789 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-12789
Submit #836104 | ILIAS ILIAS-eLearning 11.0 SQL Injection https://vuldb.com/submit/836104