CVE-2026-2015

Name of the Vulnerable Software and Affected Versions Portabilis i-Educar versions up to 2.10

Description A weakness exists in Portabilis i-Educar up to version 2.10, specifically within the Final Status Import component. The issue involves improper authorization that can be triggered by manipulating the school id argument within an unknown function of the FinalStatusImportService.php file. This manipulation can be executed remotely. The exploit for this issue has been publicly released. The vendor was notified but did not respond.

Recommendations Versions prior to 2.10 should be updated. As a temporary workaround, consider restricting access to the FinalStatusImportService.php file to minimize the risk of exploitation.