{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31939", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T15:10:10.655Z", "datePublished": "2026-04-10T17:32:29.252Z", "dateUpdated": "2026-04-13T15:36:34.681Z"}, "containers": {"cna": {"title": "Path Traversal (Arbitrary File Delete) in Chamilo LMS", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-73", "lang": "en", "description": "CWE-73: External Control of File Name or Path", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:32:29.252Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38."}], "source": {"advisory": "GHSA-8q8c-v75x-q2hx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:28:30.583098Z", "id": "CVE-2026-31939", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:36:34.681Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31939", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:28:30.583098Z"}}}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:24:51.999Z"}}], "cna": {"title": "Path Traversal (Arbitrary File Delete) in Chamilo LMS", "source": {"advisory": "GHSA-8q8c-v75x-q2hx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78", "name": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73: External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:32:29.252Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31939", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:36:34.681Z", "dateReserved": "2026-03-10T15:10:10.655Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:32:29.252Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38."}], "id": "CVE-2026-31939", "lastModified": "2026-04-17T21:23:42.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T18:16:41.313", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T20:25:08.645789+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Chamilo LMS to version 1.11.38 or later", "If an upgrade cannot be performed immediately, restrict access to the main/exercise/savescores.php endpoint to trusted users or IP ranges", "As a temporary mitigation, remove or rename the vulnerable script from the web root so it cannot be invoked", "Ensure that file deletion operations within the application are guarded by proper authentication and authorization checks", "Deploy a web application firewall rule to detect and block requests containing path traversal patterns"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Deletion"}, "threat_synthesis": {"affected_systems": "All deployments of Chamilo LMS earlier than version 1.11.38 are vulnerable. The affected code resides in the public\u2011facing script main/exercise/savescores.php. Users with any level of access to the web interface can potentially trigger the removal of critical course files or other system data if the server\u2019s directory permissions grant write or delete rights.", "description_and_impact": "A path traversal flaw in the Chamilo Learning Management System allows an attacker to delete any file that the web server\u2019s PHP process can access. The vulnerability is triggered by user input that is appended to a filesystem path in the file main/exercise/savescores.php without any path validation. This flaw is classified as a Path Traversal (CWE\u201122) and a Relative Path Traversal (CWE\u201173) attack, giving the attacker control over which file is targeted for removal.", "risk_and_exploitability": "The issue carries a high severity rating. Exploitation can be achieved remotely by sending crafted HTTP requests to the web interface, allowing the deletion of arbitrary files. Although no official exploitation probability score is available, the described path traversal makes the vulnerability readily exploitable. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the potential for widespread data loss warrants a high-priority response."}}}}, "created": "2026-04-13T12:43:42.224741+00:00", "updated": "2026-04-13T13:00:05.945767+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}