Path Traversal Vulnerability in Chamilo LMS Affects User Data Security
CVE-2026-31939

8.3HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-31939?

Chamilo LMS, a popular learning management system, has a critical path traversal vulnerability in the savescores.php file before version 1.11.38. This issue arises when user input from the $_REQUEST['test'] variable is directly concatenated into the filesystem path, allowing attackers to bypass security measures. Without appropriate validation or canonicalization, this flaw enables the possibility of arbitrary file deletion, jeopardizing user data. It is essential for administrators to update to version 1.11.38 or later to mitigate this risk. For detailed information, visit the official security advisory page.

Affected Version(s)

chamilo-lms < 1.11.38

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.