{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33715", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.748Z", "datePublished": "2026-04-14T21:05:35.043Z", "dateUpdated": "2026-04-15T13:37:16.615Z"}, "containers": {"cna": {"title": "Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": ">= 2.0-RC.2, < 2.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:05:35.043Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3."}], "source": {"advisory": "GHSA-mxc9-9335-45mc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:36:55.706592Z", "id": "CVE-2026-33715", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:37:16.615Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33715", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:36:55.706592Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:37:11.270Z"}}], "cna": {"title": "Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action", "source": {"advisory": "GHSA-mxc9-9335-45mc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": ">= 2.0-RC.2, < 2.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:05:35.043Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33715", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:37:16.615Z", "dateReserved": "2026-03-23T17:06:05.748Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:05:35.043Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3."}], "id": "CVE-2026-33715", "lastModified": "2026-04-14T21:16:26.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T21:16:26.060", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.0-RC.2,2.0-RC.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-14T22:50:42.380586+00:00", "value": {"mitigation_remediation": ["Upgrade Chamilo LMS to version 2.0.0\u2011RC.3 or later, which removes the unauthenticated test_mailer endpoint.", "If upgrading is not immediately feasible, restrict access to public/main/inc/ajax/install.ajax.php by configuring server-side access controls (e.g., .htaccess) to require authentication or block the URL for unauthenticated users.", "As an additional containment measure, block outbound SMTP traffic from the Chamilo server to prevent it from functioning as an open email relay."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Server\u2011Side Request Forgery and Open Email Relay"}, "threat_synthesis": {"affected_systems": "Chamilo LMS, open\u2011source learning management system, is affected in version 2.0\u2011RC.2 and prior builds that contain the vulnerable install.ajax.php file. The fix was introduced in version 2.0.0\u2011RC.3, which removes the unauthenticated access to the test_mailer action.", "description_and_impact": "A public AJAX endpoint, public/main/inc/ajax/install.ajax.php, was deployed without the global.inc.php include that enforces authentication checks. The test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data, causing the Chamilo server to attempt an outbound SMTP connection to the provided target. This allows an attacker to send emails that appear to originate from the Chamilo host (an open email relay) and to perform SSRF against internal SMTP services, potentially leaking network topology through error responses. The vulnerability directly leads to unauthorized remote SMTP communication and potential internal network reconnaissance.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high impact with a well\u2011exploitable vector. EPSS data is unavailable, so the likelihood of exploitation is unknown; however, the vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the flaw by issuing an unauthenticated HTTP POST request to the public endpoint and supplying a crafted SMTP DSN. Once invoked, the Chamilo server can relay email and reach internal services, which could facilitate further lateral movement or phishing campaigns."}}}}, "created": "2026-04-15T13:48:23.626222+00:00", "updated": "2026-04-15T14:31:57.038117+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}