Formalms
by Forma
CVEs (16)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36998 | Med | 0.42 | 6.4 | 0.00 | Jan 30, 2026 | Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without… | ||
| CVE-2020-36960 | Med | 0.42 | 6.4 | 0.00 | Jan 26, 2026 | Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the… | ||
| CVE-2021-43136 | 0.04 | — | 0.16 | Nov 10, 2021 | An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. | |||
| CVE-2026-26744 | 0.00 | — | 0.00 | Feb 19, 2026 | A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine… | |||
| CVE-2023-46693 | 0.00 | — | 0.00 | Dec 7, 2023 | Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters. | |||
| CVE-2022-41679 | 0.00 | — | 0.00 | Oct 31, 2022 | Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could… | |||
| CVE-2022-42924 | 0.00 | — | 0.00 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the… | |||
| CVE-2022-41681 | 0.00 | — | 0.01 | Oct 31, 2022 | There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a… | |||
| CVE-2022-41680 | 0.00 | — | 0.00 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the… | |||
| CVE-2022-42925 | 0.00 | — | 0.01 | Oct 31, 2022 | There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a… | |||
| CVE-2022-42923 | 0.00 | — | 0.01 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the… | |||
| CVE-2022-27104 | 0.00 | — | 0.01 | Apr 19, 2022 | An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3. | |||
| CVE-2020-26802 | 0.00 | — | 0.01 | Oct 8, 2020 | forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover. | |||
| CVE-2019-5109 | 0.00 | — | 0.01 | Dec 3, 2019 | Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability,… | |||
| CVE-2019-5112 | 0.00 | — | 0.02 | Dec 3, 2019 | Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web… | |||
| CVE-2014-5257 | 0.00 | — | 0.02 | Nov 6, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbitrary web script or HTML via the (1) id_custom parameter in an amanmenu request or (2) id_game parameter in an alms/games/edit request to appCore/index.php. |
- risk 0.42cvss 6.4epss 0.00
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without…
- risk 0.42cvss 6.4epss 0.00
Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the…
- CVE-2021-43136Nov 10, 2021risk 0.04cvss —epss 0.16
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
- CVE-2026-26744Feb 19, 2026risk 0.00cvss —epss 0.00
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine…
- CVE-2023-46693Dec 7, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters.
- CVE-2022-41679Oct 31, 2022risk 0.00cvss —epss 0.00
Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could…
- CVE-2022-42924Oct 31, 2022risk 0.00cvss —epss 0.00
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the…
- CVE-2022-41681Oct 31, 2022risk 0.00cvss —epss 0.01
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a…
- CVE-2022-41680Oct 31, 2022risk 0.00cvss —epss 0.00
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the…
- CVE-2022-42925Oct 31, 2022risk 0.00cvss —epss 0.01
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a…
- CVE-2022-42923Oct 31, 2022risk 0.00cvss —epss 0.01
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the…
- CVE-2022-27104Apr 19, 2022risk 0.00cvss —epss 0.01
An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3.
- CVE-2020-26802Oct 8, 2020risk 0.00cvss —epss 0.01
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
- CVE-2019-5109Dec 3, 2019risk 0.00cvss —epss 0.01
Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability,…
- CVE-2019-5112Dec 3, 2019risk 0.00cvss —epss 0.02
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web…
- CVE-2014-5257Nov 6, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbitrary web script or HTML via the (1) id_custom parameter in an amanmenu request or (2) id_game parameter in an alms/games/edit request to appCore/index.php.