CVE-2026-34160

HIGH EPSS 26.3%
Published Apr 14, 20262mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 3.1
High
Find Similar
Published Apr 14, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.

CVSS Details

Base Score
8.6
Exploitability
3.9
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
26.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-306 Missing Authentication for Critical Function Authentication
CWE-918 Server-Side Request Forgery (SSRF) Validation

Affected Products 11

VendorProductVersionRange
chamilochamilo_lms* ≤1.11.38
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any
chamilochamilo_lms2.0.0any

References 3

  • github.com https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011
    Patch
  • github.com https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3
    ProductRelease Notes
  • github.com https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276
    Vendor Advisory

Remediation

  • github.com https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011
    Patch