Skip to main content

Chamilo Lms EUVDEUVD-2026-21523

| CVE-2026-31941 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-10 GitHub_M
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 21:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:58 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.11.38,2.0.0-RC.3
EUVD ID Assigned
Apr 10, 2026 - 18:00 euvd
EUVD-2026-21523
Analysis Generated
Apr 10, 2026 - 18:00 vuln.today
CVE Published
Apr 10, 2026 - 17:37 nvd
HIGH 7.7

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

AnalysisAI

Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.

Technical ContextAI

CWE-918 SSRF vulnerability stems from missing input validation on user-supplied URLs before server-side HTTP request execution. The Social Wall feature's read_url_with_open_graph endpoint performs dual HTTP requests without allowlist/blocklist filtering, enabling SSRF to RFC1918 private networks, localhost services, and cloud metadata endpoints (169.254.169.254). CVSS vector PR:L indicates authenticated exploitation; scope change (S:C) reflects cross-boundary impact to internal systems.

RemediationAI

Vendor-released patches: upgrade to Chamilo LMS version 1.11.38 (stable branch) or 2.0.0-RC.3 (development branch). Upstream fixes implement URL validation to prevent requests to internal network ranges and cloud metadata endpoints (commits e3790c5f0ff3b4dc547c2099fadf5c438c1bb265 and ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead). Workarounds for environments unable to upgrade immediately: disable Social Wall functionality via administrator panel, implement network-level egress filtering to block server-initiated requests to RFC1918 ranges and 169.254.0.0/16, or restrict Social Wall feature access to highly trusted users only. Full security advisory with technical details: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

EUVD-2026-21523 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy