Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Tools
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in LMS software
18 June 2026 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2026-40455
Publication date 18 June 2026
Vendor LMS
Product LMS
Vulnerable versions All before commit 4cb30a7
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
Report source Report to CERT Polska
CVE ID CVE-2026-40456
Publication date 18 June 2026
Vendor LMS
Product LMS
Vulnerable versions All before commit 9fcb4de
Vulnerability type (CWE) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Report source Report to CERT Polska
CVE ID CVE-2026-40457
Publication date 18 June 2026
Vendor LMS
Product LMS
Vulnerable versions All before commit 9c5651b
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in LMS (LAN Management System) software and participated in coordination of their disclosure.

The vulnerability CVE-2026-40455: An SQL Injection vulnerability exists in LMS (LAN Management System) before commit 4cb30a7 within the tarifflist.php module due to insufficient sanitization of the POST tg[] parameter. The application directly concatenates user-supplied array values into an SQL query using implode(), allowing authenticated attackers to perform Error-Based SQL injection and extract sensitive database information.

The vulnerability CVE-2026-40456: An OS Command Injection vulnerability exists in LMS (LAN Management System) before commit 9fcb4de due to an IP address parameter being passed to the exec() function without proper validation, allowing attackers to execute arbitrary operating system commands.

The vulnerability CVE-2026-40457: A Reflected Cross-Site Scripting (XSS) vulnerability exists in LMS (LAN Management System) before commit 9c5651b in the dbrecover.php and netremap.php modules where unsanitized GET parameters are directly embedded into HTML output. This allows an attacker to inject arbitrary JavaScript when an authenticated user clicks a crafted link, provided the required conditions (such as a network defined in the system) are met.

Credits

We thank Tymoteusz Dominik for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.