Skip to main content

Skillable SCORM CVE-2026-56877

MEDIUM
External Control of Assumed-Immutable Web Parameter (CWE-472)
2026-07-12
6.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.6 HIGH

PR:L for required enrollment token; C:L and I:L added over the reporter's score to reflect vendor-confirmed session exposure and allocation integrity bypass.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
CVSS changed
Jul 13, 2026 - 22:22 NVD
6.3 (MEDIUM)
Analysis Generated
Jul 12, 2026 - 16:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Skillable's hosted SCORM lab launch endpoint at scorm.skillable.com enforces per-user lab allocation limits against a client-supplied userId query parameter that is never validated against the authenticated SCORM session token, enabling any enrolled learner to bypass rate limits, provision concurrent cloud VM lab instances at the course provider's expense, and exhaust another enrolled user's lab or exam allocation to deny them access. The vulnerability (CWE-639) was confirmed against the reporter's own account and a consenting fellow student on 2026-05-03; the vendor subsequently acknowledged in a private customer advisory that exam allocations and another learner's active session details are also reachable via the same mechanism. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enroll in SCORM-integrated Skillable course
Delivery
Capture SCORM launch URL via intercepting proxy
Exploit
Substitute target userId from LMS enumeration endpoint
Execution
Submit modified launch request to scorm.skillable.com
Persist
Server validates token, deducts victim's lab allocation
Impact
Victim denied access to lab or exam

Vulnerability AssessmentAI

Exploitation Exploitation requires an active SCORM launch token, issued only to learners authenticated within the LMS who have opened a lab unit - limiting the attacker population to enrolled students on Skillable SCORM-integrated courses. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-reported CVSS 3.1 score of 6.5 Medium (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the confirmed cross-user denial-of-service impact but deliberately excludes confidentiality and integrity dimensions that the reporter could not independently verify. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An enrolled student uses an intercepting proxy to capture the SCORM lab launch URL, then replaces the userId query parameter with a fellow student's identifier - obtainable via the LMS learner enumeration endpoint. Submitting the modified request to scorm.skillable.com causes the server to validate the attacker's SCORM token (confirming enrollment) but deduct the launch against the victim's allocation; repeated requests silently exhaust the victim's per-user limit, and the victim is subsequently denied access to the lab or exam. …
Remediation No server-side patch exists and the vendor has confirmed none is planned for the SCORM launch path. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: List all courses and institutions using Skillable SCORM; assess current lab and exam allocation inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy