CVE-2026-1517 identifies a SQL injection vulnerability in iomad, an open-source Learning Management System (LMS) built on Moodle, affecting versions from 3.1 through 5.0. The vulnerability resides in an unspecified function within the Company Admin Block component, which is responsible for administrative operations related to company management within the LMS. The flaw allows an attacker with high privileges (likely an authenticated administrator) to inject malicious SQL commands remotely, without requiring user interaction. This injection can lead to unauthorized data access, modification, or deletion within the underlying database, impacting confidentiality, integrity, and availability of LMS data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no authentication bypass, but requiring high privileges, and partial impact on confidentiality, integrity, and availability. The vulnerability is patched in versions 4.5 LTS and 5.0, and upgrading is the primary remediation. No public exploits have been reported, but the potential for damage is significant given the administrative context and the sensitive nature of LMS data, including user credentials, course materials, and organizational information.

For European organizations, particularly those in education, corporate training, and government sectors relying on iomad for LMS services, this vulnerability poses a risk of unauthorized database manipulation by privileged insiders or compromised administrator accounts. Exploitation could lead to data breaches involving personal data of students and employees, alteration or deletion of critical training records, and disruption of LMS availability. Given the GDPR regulations, any data breach involving personal information could result in significant legal and financial penalties. Additionally, compromised LMS platforms could be leveraged as pivot points for broader network attacks. The medium severity reflects the requirement for high privileges, which somewhat limits external exploitation but does not eliminate insider threat risks or risks from credential compromise. Organizations with large deployments of iomad or those integrating it with other critical systems face amplified risks.

Organizations should immediately upgrade iomad installations to version 4.5 LTS or 5.0 to remediate the vulnerability. Beyond patching, it is critical to enforce strict access controls and monitor administrative accounts for suspicious activity to prevent privilege abuse. Implement multi-factor authentication (MFA) for all administrator accounts to reduce the risk of credential compromise. Conduct regular audits of database queries and logs to detect anomalous SQL commands indicative of injection attempts. Employ web application firewalls (WAFs) with SQL injection detection capabilities tailored to iomad’s traffic patterns. Segregate LMS databases from other critical infrastructure to limit lateral movement in case of compromise. Finally, ensure backups are current and tested to enable recovery from potential data corruption or deletion.