CVE-2026-34160HIGH 8.6EPSS p26.1%

CVE-2026-34160CVE-2026-34160

Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.34% probability of exploitation · percentile 26.1% · 2026-06-18T12:00:27Z
Published2026-04-14
Last modified2026-04-23

Underlying weaknesses· 2

CWE-306CWE-918

References

  1. https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011
  2. https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3
  3. https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276

2

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-50199
CVE
CVE-2026-35196
CVE
CVE-2026-28430
CVE
CVE-2025-59541
CVE
CVE-2025-55289
CVE
CVE-2026-29041
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.