216.73.216.6

CVE-2026-30884

· Published 18/03/2026 04:17 · Modified 18/03/2026 14:52

Labels: CVE-2026-30884 2026-03-18CVE-2026-30884CWE-639[email protected]

Essential information

Published
18/03/2026 04:17
Modified
18/03/2026 14:52
Author
Creator
CVSS
9.6 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CVSS metrics

Description

mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course can read and silently overwrite certificate elements belonging to any other course in the Moodle installation. The `core_get_fragment` callback `editelement` and the `mod_customcert_save_element` web service both fail to verify that the supplied `elementid` belongs to the authorized context, enabling cross-course information disclosure and data tampering. Versions 4.4.9 and 5.0.3 fix the issue.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
moodle / mod customcert cpe:2.3:a:moodle:mod_customcert:<4.4.9:*:*:*:*:*:*:*
moodle / mod customcert cpe:2.3:a:moodle:mod_customcert:<5.0.3:*:*:*:*:*:*:*

References