CVE-2026-39598 Kodezen LLC CVE debrief

Who should care

Administrators and users of Academy LMS Pro, especially those with versions prior to 3.5.2, should be aware of this vulnerability and take immediate action to mitigate the risk. Additionally, security teams and IT professionals responsible for managing learning management systems should be informed about this potential threat.

Technical summary

The vulnerability, classified as CWE-434, allows attackers to upload files with malicious types, potentially leading to code execution on the server. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating a high severity level. The vulnerability was reported by [email protected] and is referenced in the Patchstack database.

Defensive priority

High

Recommended defensive actions

• Update Academy LMS Pro to version 3.5.2 or later
• Restrict file uploads to only allow specific, safe file types
• Implement a web application firewall (WAF) to detect and block suspicious file upload attempts
• Regularly monitor server logs for potential security incidents
• Perform security audits and vulnerability assessments on a regular basis
• Consider implementing additional security measures, such as two-factor authentication and access controls

Evidence notes

The vulnerability information was obtained from the National Vulnerability Database (NVD) and Patchstack. The CVE record was published on June 17, 2026, and last modified on the same day. The vulnerability is considered high-severity, with a CVSS score of 8.

Official resources