CVE-2026-34160

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description The PENS (Package Exchange Notification Services) plugin endpoint ''public/plugin/Pens/pens.php'' is accessible without authentication. It accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling Server-Side Request Forgery (SSRF). SSRF is a flaw that allows an attacker to induce the server-side application to make requests to an unexpected destination. An attacker can use this to probe internal network services, access cloud metadata endpoints to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters.

Recommendations Update to version 2.0.0-RC.3.