EIP-2026-105811

PRE-CVE

Chamilo LMS IDOR - 'messageId' Delete POST Injection

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-105811. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a writeup describing an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, where an attacker can delete other users' social wall posts by manipulating the 'messageId' parameter. The vulnerability is exploited via a GET request to 'social/profile.php'.

Description

Chamilo LMS IDOR - 'messageId' Delete POST Injection

Exploits (1)

exploitdb WRITEUP

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/39473

View Code ZIP pw:eip

This is a writeup describing an Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS, where an attacker can delete other users' social wall posts by manipulating the 'messageId' parameter. The vulnerability is exploited via a GET request to 'social/profile.php'.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Chamilo LMS (version not specified)

Auth required

Prerequisites: Low privilege web-application user account · Access to the target's social wall

MITRE ATT&CK

T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026