CVE-2026-40455

UNKNOWN 0.0

SQL Injection in LMS

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An SQL Injection vulnerability exists in LMS (LAN Management System) before commit 4cb30a7 within the "tarifflist.php" module due to insufficient sanitization of the POST "tg[]" parameter. The application directly concatenates user-supplied array values into an SQL query using "implode()", allowing authenticated attackers to perform Error-Based SQL injection and extract sensitive database information.

CWE	CWE-89
Vendor	lms
Product	lms
Published	Jun 18, 2026
Last Updated	Jun 18, 2026

Stay Ahead of the Next One

Get instant alerts for lms lms

Be the first to know when new unknown vulnerabilities affecting lms lms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

LMS / LMS

0 < 4cb30a7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/chilek/lms/commit/4cb30a70e7e3d8a0ea53afa2dbef19d5243d449b cert.pl: https://cert.pl/posts/2026/06/CVE-2026-40455 lms.org.pl: https://lms.org.pl/

Credits

Tymoteusz Dominik