CVE-2026-31282: Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to...

Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.

Ghostwire Analysis — What This Means Practically

Exploitation Probability (EPSS): Low — 0.02% (5th percentile)

Low exploitation probability based on current threat landscape data. Standard patching timeline is appropriate.

Critical CVSS score indicates maximum severity — remote code execution, authentication bypass, or complete system compromise is likely possible.
1 proof-of-concept exploit available on GitHub. Public exploit code lowers the barrier for both researchers and attackers.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2026-31282: Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to...

Description

Ghostwire Analysis — What This Means Practically

Proof-of-Concept Exploits (1)

Security Coverage (2 articles)

References