Attack Chain

1. An authenticated user accesses the main/exercise/savescores.php script within the Chamilo LMS application.
2. The application retrieves the value of the test parameter from the $_REQUEST array.
3. The application concatenates this user-supplied value directly into a file system path without proper sanitization or validation.
4. The application then attempts to delete the file specified by the constructed path using a function such as unlink().
5. An attacker crafts a malicious test parameter containing path traversal sequences (e.g., ../../) to navigate outside the intended directory.
6. The application, without proper checks, uses the manipulated path to delete a file outside of the designated exercise directory.
7. The attacker successfully deletes arbitrary files on the server, potentially including sensitive configuration files or other critical data.

Impact

Successful exploitation of CVE-2026-31939 allows an attacker to delete arbitrary files on the Chamilo LMS server. This can lead to data loss, system instability, and potential compromise of the entire system. The CVSS v3.1 score of 8.3 (HIGH) reflects the potential for significant impact, with confidentiality, integrity, and availability all being affected. The number of victims depends on the deployment size and user base of the affected Chamilo LMS instances.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-31939, as indicated in the advisory https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38.
• Implement input validation and sanitization on all user-supplied input, especially the test parameter in main/exercise/savescores.php, to prevent path traversal attacks.
• Monitor web server logs for suspicious requests to main/exercise/savescores.php containing path traversal sequences (e.g., ../, ..\\), using the provided Sigma rule as a guide.
• Implement file system access controls to limit the permissions of the web server process to only the necessary directories.