CVE-2026-31941

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.38 and prior to 2.0.0-RC.3

Description Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The /read url with open graph endpoint accepts a URL from the user via the social wall new msg main POST parameter and performs server-side HTTP requests to that URL without validating whether the target is internal or external. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata.

Recommendations Update to version 1.11.38 or later. Update to version 2.0.0-RC.3 or later.