Skip to main content

PHP CVE-2026-31940

| EUVD-2026-21522 HIGH
Session Fixation (CWE-384)
2026-04-10 GitHub_M
PHP Information Disclosure Session Fixation
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 21:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:58 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3,1.11.38
EUVD ID Assigned
Apr 10, 2026 - 18:00 euvd
EUVD-2026-21522
Analysis Generated
Apr 10, 2026 - 18:00 vuln.today
CVE Published
Apr 10, 2026 - 17:35 nvd
HIGH 7.5

DescriptionNVD

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

AnalysisAI

Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Chamilo LMS instances in production and document current versions. Within 7 days: Upgrade Chamilo to version 1.11.38 or later (for 1.x branch) or 2.0.0-RC.3 or later (for 2.0 branch); test in staging environment first. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-31940 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy