CVE-2026-30884 - Vulnerability Analysis
CriticalCVSS: 9.6Last Updated: March 18, 2026
mdjnelson/moodle-mod_customcert - Broken Access Control
Overview
mdjnelson/moodle-mod_customcert < 4.4.9 and < 5.0.3 contains a broken access control vulnerability caused by missing verification of element ownership in editelement callback and mod_customcert_save_element web service, letting teachers with mod/customcert:manage permission in one course read and overwrite certificate elements in other courses, exploit requires teacher role with mod/customcert:manage permission.
Severity & Score
Impact
Teachers can read and modify certificate elements across courses, leading to information disclosure and data tampering.
Mitigation
Upgrade to versions 4.4.9 or 5.0.3 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-30884 - Critical (9.6) mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course... š https://www.thehackerwire.com/vulnerability/CVE-2026-30884/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postš“ CVE-2026-30884 - Critical (9.6) mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who holds `mod/customcert:manage` in any single course... š https://www.thehackerwire.com/vulnerability/CVE-2026-30884/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-30884
- Severity
- Critical
- CVSS Score
- 9.6
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 1.6%
- Social Posts
- 2
CWE
- CWE-639
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N