Forma
Products
1- 16 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-43136 | Cri | 0.68 | 9.8 | 0.16 | Nov 10, 2021 | An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform. | ||
| CVE-2022-42925 | Cri | 0.64 | 9.9 | 0.01 | Oct 31, 2022 | There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a… | ||
| CVE-2022-41681 | Cri | 0.64 | 9.9 | 0.01 | Oct 31, 2022 | There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a… | ||
| CVE-2022-27104 | Cri | 0.64 | 9.8 | 0.01 | Apr 19, 2022 | An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3. | ||
| CVE-2020-26802 | Hig | 0.57 | 8.8 | 0.01 | Oct 8, 2020 | forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover. | ||
| CVE-2019-5112 | Hig | 0.57 | 8.8 | 0.02 | Dec 3, 2019 | Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web… | ||
| CVE-2019-5109 | Hig | 0.57 | 8.8 | 0.01 | Dec 3, 2019 | Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability,… | ||
| CVE-2022-42923 | Hig | 0.54 | 8.3 | 0.01 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the… | ||
| CVE-2022-42924 | Hig | 0.49 | 7.6 | 0.00 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the… | ||
| CVE-2022-41680 | Hig | 0.49 | 7.6 | 0.00 | Oct 31, 2022 | Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the… | ||
| CVE-2020-36998 | Med | 0.42 | 6.4 | 0.00 | Jan 30, 2026 | Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without… | ||
| CVE-2020-36960 | Med | 0.42 | 6.4 | 0.00 | Jan 26, 2026 | Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the… | ||
| CVE-2023-46693 | Med | 0.40 | 6.1 | 0.00 | Dec 7, 2023 | Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters. | ||
| CVE-2022-41679 | Med | 0.31 | 4.7 | 0.00 | Oct 31, 2022 | Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could… | ||
| CVE-2026-26744 | 0.00 | — | 0.00 | Feb 19, 2026 | A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine… | |||
| CVE-2014-5257 | 0.00 | — | 0.02 | Nov 6, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbitrary web script or HTML via the (1) id_custom parameter in an amanmenu request or (2) id_game parameter in an alms/games/edit request to appCore/index.php. |
- risk 0.68cvss 9.8epss 0.16
An authentication bypass issue in FormaLMS <= 2.4.4 allows an attacker to bypass the authentication mechanism and obtain a valid access to the platform.
- risk 0.64cvss 9.9epss 0.01
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the plugin upload component. The exploitation of this vulnerability could lead to a…
- risk 0.64cvss 9.9epss 0.01
There is a vulnerability on Forma LMS version 3.1.0 and earlier that could allow an authenticated attacker (with the role of student) to privilege escalate in order to upload a Zip file through the SCORM importer feature. The exploitation of this vulnerability could lead to a…
- risk 0.64cvss 9.8epss 0.01
An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3.
- risk 0.57cvss 8.8epss 0.01
forma.lms 2.3.0.2 is affected by Cross Site Request Forgery (CSRF) in formalms/appCore/index.php?r=lms/profile/show&ap=saveinfo via a GET request to change the admin email address in order to accomplish an account takeover.
- risk 0.57cvss 8.8epss 0.02
Exploitable SQL injection vulnerability exists in the authenticated portion of Forma LMS 2.2.1. The /appLms/ajax.server.php URL and parameter filter_status was confirmed to suffer from SQL injections and could be exploited by authenticated attackers. An attacker can send a web…
- risk 0.57cvss 8.8epss 0.01
Exploitable SQL injection vulnerabilities exists in the authenticated portion of Forma LMS 2.2.1. Specially crafted web requests can cause SQL injections. An attacker can send a web request with parameters containing SQL injection attacks to trigger this vulnerability,…
- risk 0.54cvss 8.3epss 0.01
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'id' parameter in the…
- risk 0.49cvss 7.6epss 0.00
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'dyn_filter' parameter in the…
- risk 0.49cvss 7.6epss 0.00
Forma LMS on its 3.1.0 version and earlier is vulnerable to a SQL injection vulnerability. The exploitation of this vulnerability could allow an authenticated attacker (with the role of student) to perform a SQL injection on the 'search[value] parameter in the…
- risk 0.42cvss 6.4epss 0.00
Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without…
- risk 0.42cvss 6.4epss 0.00
Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like '' to execute arbitrary JavaScript when the…
- risk 0.40cvss 6.1epss 0.00
Cross Site Scripting (XSS) vulnerability in FormaLMS before 4.0.5 allows attackers to run arbitrary code via title parameters.
- risk 0.31cvss 4.7epss 0.00
Forma LMS version 3.1.0 and earlier are affected by an Cross-Site scripting vulnerability, that could allow a remote attacker to inject javascript code on the “back_url” parameter in appLms/index.php?modname=faq&op=play function. The exploitation of this vulnerability could…
- CVE-2026-26744Feb 19, 2026risk 0.00cvss —epss 0.00
A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine…
- CVE-2014-5257Nov 6, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in Forma Lms before 1.2.1 p01 allow remote attackers to inject arbitrary web script or HTML via the (1) id_custom parameter in an amanmenu request or (2) id_game parameter in an alms/games/edit request to appCore/index.php.