Platform
php
Component
chamilo-lms
Fixed in
1.11.39
CVE-2026-31939 describes a Path Traversal vulnerability discovered in Chamilo LMS. This flaw allows an attacker to potentially delete arbitrary files on the server. The vulnerability affects versions 1.11.0 through 1.11.37 of Chamilo LMS and has been resolved in version 1.11.38.
The path traversal vulnerability lies within the main/exercise/savescores.php file. The application directly concatenates user-supplied input from the $_REQUEST['test'] parameter into a filesystem path without proper validation or canonicalization. This lack of security controls allows an attacker to craft a malicious request that includes path traversal sequences (e.g., ../..) to navigate outside the intended directory and delete files. Successful exploitation could lead to denial of service, data loss, or even compromise of the underlying server if critical system files are targeted. The ability to delete files represents a significant security risk, particularly within a learning management system that likely stores sensitive user data and course materials.
This vulnerability was publicly disclosed on 2026-04-10. There is no indication of active exploitation campaigns at this time. No public proof-of-concept (PoC) code has been released, but the vulnerability's nature makes it relatively straightforward to exploit. The vulnerability's severity is rated HIGH (CVSS: 8.3), indicating a significant risk if exploited.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-31939 is to immediately upgrade Chamilo LMS to version 1.11.38 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path traversal sequences in the test parameter. Input validation on the $_REQUEST['test'] parameter should be implemented to restrict the allowed characters and prevent the inclusion of path traversal sequences. Regularly review file permissions to ensure that the Chamilo LMS installation directory is not writable by the web server user. After upgrading, verify the fix by attempting to access a file outside the intended directory via the savescores.php endpoint with a crafted path traversal payload; the request should be rejected.
Actualice Chamilo LMS a la versión 1.11.38 o posterior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la concatenación insegura de la entrada del usuario en la ruta del sistema de archivos, previniendo la eliminación arbitraria de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-31939 is a Path Traversal vulnerability in Chamilo LMS versions 1.11.0 through 1.11.37, allowing attackers to potentially delete files. It's rated HIGH severity (CVSS: 8.3).
You are affected if you are running Chamilo LMS versions 1.11.0 through 1.11.37. Upgrade to 1.11.38 to mitigate the risk.
Upgrade Chamilo LMS to version 1.11.38. As a temporary workaround, implement WAF rules or input validation to prevent path traversal.
There is no current evidence of active exploitation, but the vulnerability's nature makes it easily exploitable.
Refer to the official Chamilo LMS security advisories on their website for the latest information and updates regarding CVE-2026-31939.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.