Improper access control in Chamilo LMS - CVE-2026-34239
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper access control in main/inc/ajax/lang.ajax.php — translate_portfolio_category when handling requests to the endpoint. A remote user can send a crafted request to execute arbitrary code.
The endpoint is reachable by any authenticated user enrolled in a course, including students, teachers, and DRH users.