VYPR
Critical severity9.6NVD Advisory· Published Mar 18, 2026· Updated Apr 16, 2026

CVE-2026-30884

CVE-2026-30884

Description

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds mod/customcert:manage in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The core_get_fragment callback editelement and the mod_customcert_save_element web service both fail to verify that the supplied elementid belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.