Zero Day MonitorZDM

← Back to list

8.3

CVE-2026-31939EXPLOITEDPATCHED

chamilo · chamilo-lms

Path Traversal (Arbitrary File Delete) in Chamilo LMS

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	< 1.11.38, < 1.11.37

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB5h ago

CVE-2026-31939 | Chamilo LMS up to 1.11.37 savescores.php test path traversal

→ No new info (linked only)

CVSS 3.18.3 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.11.38

CWECWE-22, CWE-73

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33704EXP

Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint

CRITICALCVE-2026-33706EXP

Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

CRITICALCVE-2026-32931EXP

Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

CRITICALCVE-2026-32894EXP

Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result

CRITICALCVE-2026-31940EXP

Session Fixation in Chamilo LMS

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Patch Available

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: severity, affectedVersions, activelyExploited, patchAvailable

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated severity to CRITICAL, affected versions to < 1.11.37, and marked the vulnerability as actively exploited.

severityaffectedVersionsactivelyExploitedpatchAvailable

via VulDB

v14h ago

Initial creation