Creativeitem Academy_lms
16 CVEs affecting Creativeitem Academy_lms. Latest disclosed: 2026-02-03. Critical: 1, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-56749 | Critical | 9.4 | 2025-10-15 | Creativeitem Academy LMS up to and including 6.14 uses a hardcoded default JWT secret for token signing. This predictable secret allows attackers to forge vali… |
CVE-2022-47132 | High | 8.8 | 2023-02-03 | A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows attackers to arbitrarily add Administrator users. |
CVE-2025-56747 | Medium | 6.5 | 2025-10-14 | Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Api_instructor controller where regular authenticated us… |
CVE-2025-56748 | Medium | 6.4 | 2025-10-15 | Creativeitem Academy LMS up to and including 5.13 uses predictable password reset tokens based on Base64 encoded templates without rate limiting, allowing brut… |
CVE-2023-4974 | Medium | 6.3 | 2023-09-15 | A vulnerability was found in Academy LMS 6.2. It has been rated as critical. Affected by this issue is some unknown functionality of the file /academy/tutor/fi… |
CVE-2025-71179 | Medium | 6.1 | 2026-02-03 | Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the str… |
CVE-2024-38959 | Medium | 6.1 | 2024-07-09 | Cross Site Scripting vulnerability in Creativeitem Academy LMS Learning Management System v.6.8.1 allows a remote attacker to execute arbitrary code and obtain… |
CVE-2023-38964 | Medium | 6.1 | 2023-08-04 | Creative Item Academy LMS 6.0 was discovered to contain a cross-site scripting (XSS) vulnerability. |
CVE-2023-53876 | Medium | 5.4 | 2025-12-15 | Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. A… |
CVE-2022-47131 | Medium | 4.8 | 2023-02-03 | A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows an attacker to arbitrarily create a page. |
CVE-2022-29380 | Medium | 4.8 | 2022-05-25 | Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel. |
CVE-2023-4119 | Medium | 4.3 | 2023-08-03 | A vulnerability has been found in Academy LMS 6.0 and classified as problematic. This vulnerability affects unknown code of the file /academy/home/courses. The… |
CVE-2022-47130 | Medium | 4.3 | 2023-02-03 | A Cross-Site Request Forgery (CSRF) in Academy LMS before v5.10 allows a discount coupon to be arbitrarily created if an attacker with administrative privilege… |
CVE-2023-4973 | Low | 3.5 | 2023-09-15 | A vulnerability was found in Academy LMS 6.2 on Windows. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the… |
CVE-2023-3752 | Low | 3.5 | 2023-07-19 | A vulnerability was found in Creativeitem Academy LMS 5.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file… |
CVE-2025-56746 | Low | 2.2 | 2025-10-15 | Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attac… |