CVE-2026-56877
The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter a
CVSS
6.3
Medio
EPSS
0.4%
p33
KEV
—
Exploit Today
10
0-100
Publicado: 13 jul 2026 · Última mod.: 16 jul 2026 · CWE-472
0.4%EPSS · 30 días0.4%
2026-07-142026-07-16
The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. Skillable was formerly named Learn on Demand Systems.
- www.openwall.comhttps://www.openwall.com/lists/oss-security/2026/07/12/1
- www.skillable.comhttps://www.skillable.com/security/
- seclists.orghttp://seclists.org/fulldisclosure/2026/Jul/20
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/07/12/1
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/07/12/2
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-393647.5 ALT79.6%
——24Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.5, on the Vite dev server, files that should be blocked by server.fs.deny (e.g., .env, *.crt) can be retrieved with HTTP 200 responses when query parameters such as ?raw, ?import&raw, or ?import&url&inline are appended. This vulnerability is fixed in 7.3.2 and 8.0.5.2dCVE-2024-220495.3 MED67.0%
——20httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.2dCVE-2026-139388.8 ALT23.6%
——7Integer overflow in Fonts in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)15dCVE-2026-137969.6 CRÍ21.2%
——6Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)15dCVE-2026-144308.8 ALT21.0%
——6Integer overflow in V8 in Google Chrome prior to 150.0.7871.46 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)14dCVE-2026-138418.3 ALT19.8%
——6Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)15d