Hi, I'm sorry I let this message through (as a moderator). It shouldn't be in here since it's about a hosted service and lacks open source focus. We generally don't let this sort of disclosures through to oss-security, and upon a closer look I see no reason to have made an exception this time. Well, let this serve as an example of what kind of off-topic messages are occasionally being sent in here. I'd normally redirect the sender to post to the full-disclosure list instead.
On Sun, Jul 12, 2026 at 10:13:27AM +0000, [email protected] wrote: > Skillable (formerly Learn on Demand Systems) is a hosted lab- > provisioning service > CVE-2026-56877 was assigned by MITRE. > References > ---------- > [1] Advisory writeup: > https://payloadforge.io/beyond-crto-skillable/ It's interesting this got assigned a CVE at all even though it's not in released software. The writeup above explains: > A 2022 CVE Program article explained that cloud service CVEs provide the > clearest value where “the vulnerability requires customer or peer > action to resolve,” contrasting that with cases where the provider > silently fixes and customers have nothing to do. This is the opposite: > the vendor won’t fix, so the customer must migrate. and links to: https://medium.com/@cve_program/dispelling-the-myth-cve-id-assignment-and-record-publication-for-vulnerabilities-affecting-cloud-6d1937a34f1c which says: > CVE Program Blog > Sep 13, 2022 > > There exists a myth that the CVE® Program does not assign CVE IDs and > publish CVE Records for vulnerabilities affecting cloud services. This > myth has propagated on social media, repeated over and over again by > those who really believe it. In fact, the CVE Program has and does > assign CVE IDs and publish CVE Records for vulnerabilities affecting > cloud services. > > The CVE Rules are publicly available. Rule 7.4.4 states: > > 7.4.4 CNAs MAY assign a CVE ID to a vulnerability if: > > 1. The product or service is owned by the CVE Numbering Authority (CNA) > > 2. The product or service is not customer controlled, and > > 3. The vulnerability requires customer or peer action to resolve > > The CVE Board is responsible for the strategic direction, governance, > operational structure, policies, and rules of the CVE Program. Both the > CVE Board’s and the CVE Program’s goal is to ensure that users > can take action to protect themselves against vulnerabilities. When a > vulnerability does not require customer action, issuing a CVE generates > a high volume of unactionable noise for users instead of a high-fidelity > signal that they can act upon. At the request of participating cloud > service providers (CSPs), the Board changed the CVE Program rules over > two years ago, to enable CVE ID assignment and record publication for > vulnerabilities affecting cloud services. Alexander
