CVE-2026-33715

Published: Apr 14, 2026

Modified: Apr 15, 2026

PUBLISHED

CVSS v3.1

7.2

HIGH

Description

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.

Vendor	Product	Versions
chamilo	chamilo-lms	affected `>= 2.0-RC.2, < 2.0-RC.3`

Weaknesses (CWE)

CWE-306

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33715

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References