Skip to main content

LearnHouse CVE-2025-12268

LOW
Improper Access Control (CWE-284)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:31 vuln.today

DescriptionCVE.org

A vulnerability has been found in LearnHouse up to 98dfad76aad70711a8113f6c1fdabfccf10509ca. Impacted is an unknown function of the file /api/v1/courses/ of the component Course Thumbnail Handler. The manipulation of the argument thumbnail leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

LearnHouse allows authenticated remote users to upload arbitrary files via unrestricted manipulation of the thumbnail parameter in the Course Thumbnail Handler endpoint (/api/v1/courses/), enabling potential malicious file storage and execution. The vulnerability affects all versions up to commit 98dfad76aad70711a8113f6c1fdabfccf10509ca, with publicly available exploit code disclosed despite vendor non-response to early notification. While CVSS is low (2.1) and EPSS exploitation probability is minimal (0.06%), the presence of public exploits and authentication-only barrier warrants prioritization in environments where account compromise or insider risk is elevated.

Technical ContextAI

LearnHouse uses a rolling release model without versioned releases, making traditional version tracking impossible. The vulnerability exists in the Course Thumbnail Handler component, specifically the /api/v1/courses/ API endpoint, where the thumbnail parameter fails to validate file type, size, or content. This is a classic unrestricted file upload vulnerability (CWE-284: Improper Access Control) requiring authentication (CVSS PR:L). The attack surface is the HTTP API layer handling course metadata operations. The CPE cpe:2.3:a:learnhouse:learnhouse:*:*:*:*:*:*:*:* indicates all versions are potentially affected, with the commit hash serving as the known-affected baseline rather than a traditional version number.

RemediationAI

No vendor-released patch is available at time of analysis due to vendor non-response and rolling release model. Organizations must upgrade to a commit after 98dfad76aad70711a8113f6c1fdabfccf10509ca if the upstream project issues a fix, or implement compensating controls immediately. Primary mitigation: restrict API access to the /api/v1/courses/ endpoint via network-level controls (WAF, reverse proxy, firewall rules) to limit exposure to trusted internal networks only, accepting the trade-off of reducing course thumbnail management to internal-only operations. Secondary mitigation: implement strict file type validation and size limits at the application layer if source code access is available (fork and patch the vulnerable endpoint). Tertiary mitigation: enforce strong authentication and audit logging for all course API operations to detect and block suspicious file uploads. Monitor the upstream LearnHouse repository on GitHub for security advisories, as vendor communication remains unresponsive. For critical deployments, consider switching to a vendor-supported learning platform with active security patch cycles.

Share

CVE-2025-12268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy