CVE-2026-31282CRITICAL 9.8EPSS p30.6%

CVE-2026-31282CVE-2026-31282

Description

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack. NOTE: this is disputed by the Supplier because (1) local login is enabled/disabled server side (this is not a client side control); (2) there is no evidence SSO login can be bypassed to allow local login; and (3) there is no evidence that local login can be performed when disabled server side.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.6% · 2026-06-18T12:00:27Z
Published2026-04-13
Last modified2026-05-06

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/saykino/CVE-2026-31282
  2. https://www.totara.com/

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31283
CVE
CVE-2026-31281
CVE
CVE-2026-42682
CVE
CVE-2026-25406
CVE
CVE-2025-13982
CVE
CVE-2025-12547
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.