HIGHCVE-2026-33715CVSS 7.2

CVE-2026-33715: Symfony SSRF in Chamilo LMS 2.0-RC.2

Q: What is CVE-2026-33715 — SSRF in symfony?

A DSN (Data Source Name) string is a text string containing configuration information to connect to a database or, in this case, an SMTP server.

Q: Am I affected by CVE-2026-33715 in symfony?

Upgrading is crucial to mitigate the risk of exploitation of this vulnerability and protect the integrity and confidentiality of data.

Q: How do I fix CVE-2026-33715 in symfony?

Restrict access to the `install.ajax.php` file and monitor server logs for suspicious activity.

Q: Is CVE-2026-33715 being actively exploited?

Yes, it affects all Chamilo LMS installations using version 2.0-RC.2.

Q: Where can I find the official symfony advisory for CVE-2026-33715?

Currently, there are no automated tools available, but verifying the Chamilo LMS version is sufficient to determine vulnerability.

Platform

symfony

Component

symfony

Fixed in

2.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-33715 is a Server-Side Request Forgery (SSRF) vulnerability affecting Chamilo LMS, an open-source learning management system. This flaw allows an unauthenticated attacker to specify an arbitrary Symfony Mailer DSN string, enabling them to connect to attacker-controlled SMTP servers and potentially access internal networks. The vulnerability exists in versions 2.0-RC.2 and has been resolved in version 2.0.0-RC.3.

Impact and Attack Scenarios

CVE-2026-33715 in Chamilo LMS (version 2.0-RC.2) allows an attacker to send emails through an attacker-controlled SMTP server. This is due to the public/main/inc/ajax/install.ajax.php file being accessible without authentication on fully installed instances, and the test_mailer action accepting an arbitrary Symfony Mailer DSN string from POST data. The lack of proper DSN string validation allows an attacker to specify the SMTP server, port, username, and password, resulting in unauthorized email sending. This vulnerability could be used for spamming, phishing, or even stealing confidential information contained in emails.

Exploitation Context

An attacker could exploit this vulnerability by sending a POST request to the public/main/inc/ajax/install.ajax.php file with a malicious DSN string pointing to their own SMTP server. The attacker needs access to the network where Chamilo LMS is running but does not require valid authentication credentials. The ease of exploitation and the potential impact on data confidentiality and integrity make this vulnerability a significant concern.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.07% (21% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componentsymfony

Vendorchamilo

Affected rangeFixed in

>= 2.0-RC.2, < 2.0-RC.3 – >= 2.0-RC.2, < 2.0-RC.32.0.1

Weakness Classification (CWE)

CWE-306 CWE-918

Timeline

Reserved2026-03-23
Published2026-04-14
Modified2026-04-17
EPSS updated2026-04-22

Mitigation and Workarounds

The solution to this vulnerability is to upgrade Chamilo LMS to version 2.0.0-RC.3 or higher. This version fixes the issue by including authentication verification and installation completion checks in the install.ajax.php file. In the meantime, as a temporary measure, it is recommended to restrict access to the public/main/inc/ajax/install.ajax.php file through a firewall or role-based access configurations. Additionally, monitor server logs for any suspicious activity related to email sending.

How to fix

Update Chamilo LMS to version 2.0.0-RC.3 or later to mitigate the vulnerability. This update corrects the lack of authentication in the `test_mailer` action of `install.ajax.php`, preventing SSRF and the use of the server as an open mail relay.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-33715 — SSRF in symfony?