CVE-2026-31939
Published: 10 April 2026
Summary
CVE-2026-31939 is a high-severity Path Traversal (CWE-22) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and canonicalization of user inputs like the 'test' parameter to block path traversal sequences before filesystem operations.
Mandates timely identification, reporting, and patching of flaws like this path traversal vulnerability fixed in Chamilo LMS 1.11.38.
Enforces logical access controls to restrict filesystem paths to authorized locations only, mitigating unauthorized file deletions via traversal.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing LMS web app directly enables remote exploitation (T1190) by authenticated users to perform arbitrary file deletion, facilitating indicator removal via file deletion (T1070.004) and data destruction for integrity/availability impact (T1485).
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is…
more
fixed in 1.11.38.
Deeper analysisAI
CVE-2026-31939 is a path traversal vulnerability in Chamilo LMS, an open-source learning management system. The issue affects versions prior to 1.11.38 and resides in the main/exercise/savescores.php endpoint, where user input from the $_REQUEST['test'] parameter is directly concatenated into a filesystem path without proper canonicalization or traversal sequence checks. This flaw, associated with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path), enables arbitrary file deletion on the server.
An attacker with low privileges, such as an authenticated user with basic access to the LMS, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants high integrity and availability impacts, allowing deletion of arbitrary files, alongside a low confidentiality impact, as scored at CVSS 8.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H). No special tools or conditions beyond valid authentication are needed.
The vulnerability has been addressed in Chamilo LMS version 1.11.38, as detailed in the project's GitHub security advisory (GHSA-8q8c-v75x-q2hx), release notes, and the fixing commit (4dddcc19d36119da27b7c49eb84a035800abae78). Security practitioners should upgrade to 1.11.38 or later and review access controls for the affected endpoint to mitigate risks.
Details
- CWE(s)