Skip to main content

Openolat

8 CVEs product

Monthly

CVE-2026-31946 CRITICAL PATCH Act Now

Authentication bypass in OpenOlat e-learning platform versions 10.5.4 through 20.2.4 allows remote unauthenticated attackers to forge authentication tokens due to missing JWT signature verification in OpenID Connect implementation. The platform accepts JWTs without cryptographic validation, enabling attackers to impersonate any user by crafting tokens with arbitrary claims. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the complete absence of signature verification.

Authentication Bypass Openolat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2024-28198 HIGH PATCH This Week

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Openolat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-25974 MEDIUM POC This Month

The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openolat
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2024-25973 MEDIUM POC This Month

The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openolat
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-41242 HIGH PATCH This Week

OpenOlat is a web-basedlearning management system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Openolat
NVD GitHub
CVSS 3.1
8.1
EPSS
1.4%
CVE-2021-41152 HIGH PATCH This Week

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Openolat
NVD GitHub
CVSS 3.1
7.7
EPSS
1.2%
CVE-2021-39181 HIGH PATCH This Week

OpenOlat is a web-based learning management system (LMS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Java Openolat
NVD GitHub
CVSS 3.1
8.8
EPSS
1.9%
CVE-2021-39180 HIGH PATCH This Week

OpenOLAT is a web-based learning management system (LMS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Tomcat Path Traversal Java Openolat
NVD GitHub
CVSS 3.1
8.8
EPSS
2.4%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in OpenOlat e-learning platform versions 10.5.4 through 20.2.4 allows remote unauthenticated attackers to forge authentication tokens due to missing JWT signature verification in OpenID Connect implementation. The platform accepts JWTs without cryptographic validation, enabling attackers to impersonate any user by crafting tokens with arbitrary claims. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the complete absence of signature verification.

Authentication Bypass Openolat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.

SSRF XXE Openolat
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Frentix GmbH OpenOlat LMS is affected by stored a Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openolat
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

The Frentix GmbH OpenOlat LMS is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Openolat
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

OpenOlat is a web-basedlearning management system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Path Traversal Openolat
NVD GitHub
EPSS 1% CVSS 7.7
HIGH PATCH This Week

OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Openolat
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

OpenOlat is a web-based learning management system (LMS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Java Openolat
NVD GitHub
EPSS 2% CVSS 8.8
HIGH PATCH This Week

OpenOLAT is a web-based learning management system (LMS). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Tomcat Path Traversal Java +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy