CVE-2026-56877
Summary
| CVE | CVE-2026-56877 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-13 22:16:48 UTC |
| Updated | 2026-07-16 07:16:48 UTC |
| Description | The SCORM lab launch endpoint in Skillable (scorm.skillable.com) through 2026-07-13 does not validate the client-supplied userId parameter against the authenticated SCORM session token. An authenticated user can substitute arbitrary userId values to bypass per-user lab launch rate limits and consume other users' lab allocations, resulting in denial of service against targeted users' lab and exam access. Skillable was formerly named Learn on Demand Systems. |
Risk And Classification
Primary CVSS: v3.1 6.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS: 0.004100000 probability, percentile 0.332060000 (date 2026-07-16)
Problem Types: CWE-472 | CWE-472 CWE-472 External Control of Assumed-Immutable Web Parameter
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | CNA | CVSS | 6.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
LowAvailability
LowCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Skillable | SCORM Lab Launch Integration | affected 2026-07-13 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.skillable.com/security | [email protected] | www.skillable.com | |
| www.openwall.com/lists/oss-security/2026/07/12/1 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| www.openwall.com/lists/oss-security/2026/07/12/2 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| seclists.org/fulldisclosure/2026/Jul/20 | af854a3a-2127-422b-91ae-364da2661108 | seclists.org | |
| www.openwall.com/lists/oss-security/2026/07/12/1 | [email protected] | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.