CVE-2026-31939 - Vulnerability Details

- Path Traversal (Arbitrary File Delete) in Chamilo LMS

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.

Published: 2026-04-10

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A path traversal flaw in the Chamilo Learning Management System allows an attacker to delete any file that the web server’s PHP process can access. The vulnerability is triggered by user input that is appended to a filesystem path in the file main/exercise/savescores.php without any path validation. This flaw is classified as a Path Traversal (CWE‑22) and a Relative Path Traversal (CWE‑73) attack, giving the attacker control over which file is targeted for removal.

Affected Systems

All deployments of Chamilo LMS earlier than version 1.11.38 are vulnerable. The affected code resides in the public‑facing script main/exercise/savescores.php. Users with any level of access to the web interface can potentially trigger the removal of critical course files or other system data if the server’s directory permissions grant write or delete rights.

Risk and Exploitability

The issue carries a high severity rating. Exploitation can be achieved remotely by sending crafted HTTP requests to the web interface, allowing the deletion of arbitrary files. Although no official exploitation probability score is available, the described path traversal makes the vulnerability readily exploitable. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the potential for widespread data loss warrants a high-priority response.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

chamilo

chamilo-lms

affected

Version	Status	Constraints
`< 1.11.38`	affected	—

Configuration 1 [-]

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Chamilo

Chamilo Lms

100%

Version	Status	Scheme	Platform
`[0,1.11.38)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or later
If an upgrade cannot be performed immediately, restrict access to the main/exercise/savescores.php endpoint to trusted users or IP ranges
As a temporary mitigation, remove or rename the vulnerable script from the web root so it cannot be invoked
Ensure that file deletion operations within the application are guarded by proper authentication and authorization checks
Deploy a web application firewall rule to detect and block requests containing path traversal patterns

Generated by OpenCVE AI on April 10, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx

History

Fri, 17 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:chamilo:chamilo_lms::::::::

Mon, 13 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chamilo Chamilo chamilo Lms
Vendors & Products		Chamilo Chamilo chamilo Lms

Fri, 10 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.
Title		Path Traversal (Arbitrary File Delete) in Chamilo LMS
Weaknesses		CWE-22 CWE-73
References		https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}`

Subscriptions

Chamilo Chamilo Lms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-10T17:32:29.252Z

Updated: 2026-04-13T15:36:34.681Z

Reserved: 2026-03-10T15:10:10.655Z

Link: CVE-2026-31939

Vulnrichment

Updated: 2026-04-13T15:24:51.999Z

NVD

Status : Analyzed

Published: 2026-04-10T18:16:41.313

Modified: 2026-04-17T21:23:42.527

Link: CVE-2026-31939

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object