Path traversal in Chamilo LMS - #VU137019
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote user to delete arbitrary files and cause a denial of service.
The vulnerability exists due to improper input validation in the plugin/cleandeletedfiles/src/ajax.php AJAX endpoint when handling path and list parameters. A remote user can send a specially crafted request to delete arbitrary files and cause a denial of service.
The issue is exposed through the cleandeletedfiles plugin and can also be exploited via cross-site request forgery against an administrator session.