CVE-2026-25885

Critical CVSS: 10.0

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send messages to any group. The server accepts the message and stores it in the group’s chatContent, so this is not just a visual spam issue.

Vendor

Polarlearn

Product

Polarlearn

CWE

CWE-285

Yayın Tarihi

2026-02-09 22:16:03

Güncelleme

2026-02-20 20:47:36

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-285 Polarlearn CRITICAL Polarlearn 2026

Referanslar

https://github.com/polarnl/PolarLearn/commit/3ba588fda0d3f8e238483a20772719f27e52e79f https://github.com/polarnl/PolarLearn/security/advisories/GHSA-gvjm-5pw7-6c8c

Benzer Kayıtlar

Low

CVE-2026-25221

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for…

Medium

CVE-2026-25222

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in…

High

CVE-2026-25126

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/…