📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 2h Global vulnerability Enterprise Software / ERP Systems CRITICAL 3h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 2h Global vulnerability Enterprise Software / ERP Systems CRITICAL 3h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h Global phishing Cross-sector HIGH 2h Global apt Education CRITICAL 2h Global vulnerability Enterprise Software / ERP Systems CRITICAL 3h Global vulnerability IT Infrastructure CRITICAL 3h Global vulnerability Technology and Software Development HIGH 4h Global vulnerability Enterprise IT and Government CRITICAL 4h Global ransomware Multiple Sectors / Enterprise CRITICAL 5h Global general Technology and Legal MEDIUM 6h Global ransomware Financial Services / Cryptocurrency CRITICAL 6h Global general Industrial Control Systems / Operational Technology HIGH 7h
Vulnerabilities

CVE-2026-5546

Medium
A flaw has been found in Campcodes Complete Online Learning Management System 1.0. This impacts the function add_lesson
CWE-284 — Weakness Type
Published: Apr 5, 2026  ·  Modified: Apr 8, 2026  ·  Source: NVD
CVSS v3
6.3
🔗 NVD Official
📄 Description (English)

A flaw has been found in Campcodes Complete Online Learning Management System 1.0. This impacts the function add_lesson of the file /application/models/Crud_model.php. This manipulation causes unrestricted upload. It is possible to initiate the attack remotely. The exploit has been published and may be used.

🤖 AI Executive Summary

CVE-2026-5546 is a medium-severity unrestricted file upload vulnerability in Campcodes Complete Online Learning Management System 1.0 affecting the lesson addition functionality. The flaw allows remote attackers to upload arbitrary files without proper validation, potentially leading to remote code execution or malware distribution. While no patch is currently available and exploit code has been published, the vulnerability poses significant risk to educational institutions and e-learning platforms in Saudi Arabia.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 03:17
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi educational institutions, universities, and e-learning platforms utilizing Campcodes LMS. High-risk sectors include: Ministry of Education institutions, private universities, online training providers, and corporate learning platforms. Secondary impact on government agencies using e-learning for employee training. The unrestricted upload capability could enable attackers to compromise student data, inject malicious content into educational materials, or establish persistent backdoors within institutional networks. Organizations in the education sector and those subject to SAMA oversight for digital services are particularly vulnerable.
🏢 Affected Saudi Sectors
Education Government Healthcare Corporate Training E-Learning Platforms
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:

1. Identify all instances of Campcodes Complete Online Learning Management System 1.0 in your environment

2. Restrict access to the /application/models/Crud_model.php file and lesson management functions using web application firewall (WAF) rules

3. Implement file upload restrictions at the application level:

   - Whitelist only permitted file types (PDF, DOCX, PPTX, images)

   - Validate file extensions and MIME types server-side

   - Store uploads outside web root directory

   - Rename uploaded files with random identifiers

4. Monitor upload directories for suspicious files using antivirus/EDR solutions

5. Review access logs for unauthorized upload attempts

6. Implement strict input validation on the add_lesson function

7. Contact Campcodes for security updates or consider migrating to patched LMS alternatives

8. Deploy WAF rules to block POST requests to /application/models/Crud_model.php with suspicious payloads

Detection Rules:

- Alert on file uploads with executable extensions (.php, .exe, .sh, .jsp)

- Monitor for unusual file sizes in upload directories

- Track failed authentication attempts followed by upload attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديد جميع نسخ نظام إدارة التعلم الإلكتروني الكامل من Campcodes الإصدار 1.0 في بيئتك

2. تقييد الوصول إلى ملف /application/models/Crud_model.php ووظائف إدارة الدروس باستخدام قواعد جدار حماية تطبيقات الويب

3. تطبيق قيود تحميل الملفات على مستوى التطبيق:

   - إنشاء قائمة بيضاء بأنواع الملفات المسموحة فقط (PDF، DOCX، PPTX، الصور)

   - التحقق من امتدادات الملفات وأنواع MIME على جانب الخادم

   - تخزين التحميلات خارج دليل الويب الجذر

   - إعادة تسمية الملفات المحملة بمعرفات عشوائية

4. مراقبة أدلة التحميل للملفات المريبة باستخدام حلول مكافحة الفيروسات

5. مراجعة سجلات الوصول لمحاولات التحميل غير المصرح بها

6. تطبيق التحقق الصارم من المدخلات على وظيفة add_lesson

7. الاتصال بـ Campcodes للحصول على تحديثات الأمان أو النظر في الهجرة إلى بدائل LMS معدلة

8. نشر قواعد WAF لحظر طلبات POST إلى /application/models/Crud_model.php مع حمولات مريبة

قواعد الكشف:

- تنبيه عند تحميل ملفات بامتدادات قابلة للتنفيذ (.php، .exe، .sh، .jsp)

- مراقبة أحجام الملفات غير العادية في أدلة التحميل

- تتبع محاولات المصادقة الفاشلة متبوعة بمحاولات التحميل
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.4.1 - Event logging and monitoring of file uploads ECC 2024 A.14.2.1 - Secure development and change management ECC 2024 A.14.2.5 - Secure coding practices and input validation
🔵 SAMA CSF
SAMA CSF ID.BE-1 - Asset management and inventory control SAMA CSF PR.DS-2 - Data security and file integrity SAMA CSF DE.CM-1 - Detection and monitoring of anomalous activities
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships ISO 27001:2022 A.8.3 - Segregation of duties ISO 27001:2022 A.14.2.1 - Secure development policy ISO 27001:2022 A.14.2.5 - Secure coding practices
🟣 PCI DSS v4.0.1
PCI DSS 6.5.8 - Improper access control (if payment data accessible) PCI DSS 6.5.1 - Injection flaws
📊 CVSS Score
6.3
/ 10.0 — Medium
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredL — Low / Local
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityL — Low / Local
IntegrityL — Low / Local
AvailabilityL — Low / Local
📋 Quick Facts
Severity Medium
CVSS Score6.3
CWECWE-284
EPSS0.01%
Exploit No
Patch ✗ No
Published 2026-04-05
Source Feed nvd
Views 4
🇸🇦 Saudi Risk Score
6.8
/ 10.0 — Saudi Risk
Priority: HIGH
🏷️ Tags
CWE-284
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.