ctipilot.ch

Home · Live brief · Daily brief 2026-06-23

CVE-2026-12789 — ILIAS 11.0: unpatched, PoC-public SQL injection in the learning-progress subsystem (DACH education exposure)

notable vulnerability discovered 2026-06-23 04:52 UTC

Part of run 2026-06-23-165387f6 (intel · Claude Opus 4.8)

BSI WID-SEC-2026-2016 (2026-06-22) flags CVE-2026-12789, an SQL injection in ILIAS 11.0's learning-progress tracking — specifically ilTrQuery::executeQueries in components/ILIAS/Tracking/classes/class.ilTrQuery.php (BSI WID, 2026-06-22; GitHub Advisory GHSA-69G6-PGGC-389P, 2026-06-21). Exploitation requires an authenticated session (the advisory indicates elevated privileges are needed — PR:High), and the CVSS v4 base score is a low 2.0, reflecting the auth prerequisite and limited data-exposure scope. The operational concern is not the score: no patch is available (the vendor has been unresponsive to coordinated disclosure), a proof-of-concept is public, and ILIAS is the dominant open-source LMS across Swiss, German and Austrian universities, vocational schools (Berufsschulen) and public-sector training portals; an ENISA EUVD record exists (EUVD-2026-38153) (ENISA EUVD, 2026-06-22). Below the standard § 2 CVSS/exploitation gate, retained on CH/EU-public-sector-education relevance Until a fix ships: apply WAF rules blocking SQL metacharacter sequences on the tracking endpoints; restrict learning-progress endpoints to enrolled roles; and confirm the ILIAS database account lacks FILE/DROP/superuser rights (T1190 Exploit Public-Facing Application, T1078 Valid Accounts). Hunt DB slow-query / WAF logs for UNION SELECT patterns in POST bodies to tracking endpoints and anomalous result-set volumes.

“WID-SEC-2026-2016 — ILIAS: Schwachstelle ermöglicht SQL-Injection — CVE-2026-12789 — Kein Patch verfügbar — öffentlicher Proof-of-Concept vorhanden” — BSI WID

“SQL injection in ilTrQuery::executeQueries in components/ILIAS/Tracking/classes/class.ilTrQuery.php — ILIAS 11.0 — requires authenticated session” — GitHub Advisory GHSA-69G6-PGGC-389P

vulnerabilities sqli poc-public no-patch dach europe CVE-2026-12789