SQL Injection Vulnerability in ILIAS Learning Management System by ILIAS
CVE-2026-12789

5.1MEDIUM

Key Information:

Vendor: Ilias
Status: Learning Management System
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-12789?

A vulnerability in the ILIAS Learning Management System version 11.0 allows for SQL injection via the ilTrQuery::executeQueries function in the Tracking component. Manipulation of the argument troup_table_nav can lead to unauthorized data access, making this vulnerability particularly dangerous. The ability to execute this attack remotely increases the risk, and the exploit has been made publicly available. Attempts to engage the vendor for a resolution have gone unanswered, underscoring the urgency for users to take protective measures.

Affected Version(s)

Learning Management System 11.0

References

https://vuldb.com/vuln/372531

vdb-entrytechnical-description

https://vuldb.com/vuln/372531/cti

signaturepermissions-required

https://vuldb.com/cve/CVE-2026-12789

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

geochen (VulDB User)

VulDB CNA Team

CVE-2026-12789 Data

JSON