How to fix EUVD-2026-22710?

Within 24 hours: Identify all Chamilo LMS 2.0-RC.2 instances in your environment and restrict network access to install.ajax.php. Within 7 days: Upgrade to Chamilo LMS 2.0.0-RC.3 or later. Within 30 days: Verify upgrade completion across all instances and confirm install.ajax.php is inaccessible from untrusted networks via firewall or WAF rules.

Is PHP affected by EUVD-2026-22710?

Chamilo LMS 2.0-RC.2 contains an unauthenticated SSRF vulnerability in the installation module that could allow attackers to abuse the system as an email relay and scan internal networks without credentials.

EUVD-2026-22710

| CVE-2026-33715 HIGH

2026-04-14 GitHub_M

Authentication Bypass PHP SSRF Chamilo Lms

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:57 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

patch_available

Apr 16, 2026 - 05:29 EUVD

2.0-RC.3

Analysis Generated

Apr 14, 2026 - 22:39 vuln.today

DescriptionNVD

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Server-Side Request Forgery (SSRF) in Chamilo LMS 2.0-RC.2 allows unauthenticated remote attackers to weaponize the learning management system as an open email relay and probe internal networks. The vulnerability stems from an authentication bypass in install.ajax.php, which accepts arbitrary SMTP server connections via Symfony Mailer DSN strings. …

RemediationAI

Within 24 hours: Identify all Chamilo LMS 2.0-RC.2 instances in your environment and restrict network access to install.ajax.php. Within 7 days: Upgrade to Chamilo LMS 2.0.0-RC.3 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-22710 vulnerability details – vuln.today

Back

EUVD-2026-22710

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code