CVE-2026-12789 — ILIAS 11.0: unpatched, PoC-public SQL injection in the learning-progress subsystem (DACH education exposure)

BSI WID-SEC-2026-2016 (2026-06-22) flags CVE-2026-12789, an SQL injection in ILIAS 11.0's learning-progress tracking — specifically ilTrQuery::executeQueries in components/ILIAS/Tracking/classes/class.ilTrQuery.php (BSI WID, 2026-06-22; GitHub Advisory GHSA-69G6-PGGC-389P, 2026-06-21). Exploitation requires an authenticated session (the advisory indicates elevated privileges are needed — PR:High), and the CVSS v4 base score is a low 2.0, reflecting the auth prerequisite and limited data-exposure scope. The operational concern is not the score: no patch is available (the vendor has been unresponsive to coordinated disclosure), a proof-of-concept is public, and ILIAS is the dominant open-source LMS across Swiss, German and Austrian universities, vocational schools (Berufsschulen) and public-sector training portals; an ENISA EUVD record exists (EUVD-2026-38153) (ENISA EUVD, 2026-06-22). Below the standard § 2 CVSS/exploitation gate, retained on CH/EU-public-sector-education relevance — see § 7. Until a fix ships: apply WAF rules blocking SQL metacharacter sequences on the tracking endpoints; restrict learning-progress endpoints to enrolled roles; and confirm the ILIAS database account lacks FILE/DROP/superuser rights (T1190 Exploit Public-Facing Application, T1078 Valid Accounts). Hunt DB slow-query / WAF logs for UNION SELECT patterns in POST bodies to tracking endpoints and anomalous result-set volumes.