ILIAS 11.0 SQL injection (ilTrQuery), no patch, PoC public

cve · CVE-2026-12789

Coverage timeline

first 2026-06-23 → last 2026-06-23

Briefs

1 distinct

Sources cited

6 hosts

Sections touched

trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-06-23CTI Daily Brief — 2026-06-23
trending_vulnsFirst coverage — BSI WID-SEC-2026-2016; DACH education exposure; below CVSS gate, retained on relevance

Where this entity is cited

trending_vulns1

Source distribution

wid.cert-bund.de2 (29%)
euvd.enisa.europa.eu1 (14%)
github.com1 (14%)
apereo.github.io1 (14%)
docu.ilias.de1 (14%)
security-hub.ncsc.admin.ch1 (14%)

Related entities

ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface
vulnerability-trenditem:ilias-lms-nine-fixes-2026-05-27-tileimageupload-unauth-write-soap-access-bypass-multiple-sqli×1
Unpatched Windows search: URI handler NTLMv2 leak; Microsoft declined to patch
vulnerability-trenditem:windows-search-uri-ntlm-leak-2026×1

External references

NVD · cve.org · CISA KEV

All cited sources (7)

Items in briefs about ILIAS 11.0 SQL injection (ilTrQuery), no patch, PoC public (1)

CVE-2026-12789 — ILIAS 11.0: unpatched, PoC-public SQL injection in the learning-progress subsystem (DACH education exposure)

From CTI Daily Brief — 2026-06-23 · published 2026-06-23 · view item permalink →

BSI WID-SEC-2026-2016 (2026-06-22) flags CVE-2026-12789, an SQL injection in ILIAS 11.0's learning-progress tracking — specifically ilTrQuery::executeQueries in components/ILIAS/Tracking/classes/class.ilTrQuery.php (BSI WID, 2026-06-22; GitHub Advisory GHSA-69G6-PGGC-389P, 2026-06-21). Exploitation requires an authenticated session (the advisory indicates elevated privileges are needed — PR:High), and the CVSS v4 base score is a low 2.0, reflecting the auth prerequisite and limited data-exposure scope. The operational concern is not the score: no patch is available (the vendor has been unresponsive to coordinated disclosure), a proof-of-concept is public, and ILIAS is the dominant open-source LMS across Swiss, German and Austrian universities, vocational schools (Berufsschulen) and public-sector training portals; an ENISA EUVD record exists (EUVD-2026-38153) (ENISA EUVD, 2026-06-22). Below the standard § 2 CVSS/exploitation gate, retained on CH/EU-public-sector-education relevance — see § 7. Until a fix ships: apply WAF rules blocking SQL metacharacter sequences on the tracking endpoints; restrict learning-progress endpoints to enrolled roles; and confirm the ILIAS database account lacks FILE/DROP/superuser rights (T1190 Exploit Public-Facing Application, T1078 Valid Accounts). Hunt DB slow-query / WAF logs for UNION SELECT patterns in POST bodies to tracking endpoints and anomalous result-set volumes.