Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
149 vulnerabilities by chamilo
CVE-2026-40291 (GCVE-0-2026-40291)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:37 – Updated: 2026-04-15 14:24
VLAI?
Title
Chamilo LMS has Privilege Escalation via API User Role Modification
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
8.8 (High)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40291",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:24:20.523815Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:24:29.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted(\u0027EDIT\u0027, object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:37:55.490Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-7phx-w897-4c9x",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Privilege Escalation via API User Role Modification"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40291",
"datePublished": "2026-04-14T21:37:55.490Z",
"dateReserved": "2026-04-10T20:22:44.035Z",
"dateUpdated": "2026-04-15T14:24:29.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35196 (GCVE-0-2026-35196)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:33 – Updated: 2026-04-15 14:27
VLAI?
Title
Chamilo LMS has OS Command Injection via export_all_certificates action
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
8.8 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:27:21.595475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:27:29.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION[\u0027_cid\u0027] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:33:13.518Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-crc6-r6c7-44q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-crc6-r6c7-44q3"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-crc6-r6c7-44q3",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has OS Command Injection via export_all_certificates action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35196",
"datePublished": "2026-04-14T21:33:13.518Z",
"dateReserved": "2026-04-01T18:48:58.937Z",
"dateUpdated": "2026-04-15T14:27:29.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34602 (GCVE-0-2026-34602)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:29 – Updated: 2026-04-15 13:32
VLAI?
Title
Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
7.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:32:25.460091Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:32:34.878Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:29:06.585Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/2a9f060fa9d50fc9a92ed93af774d2619642df92",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/2a9f060fa9d50fc9a92ed93af774d2619642df92"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/bd2ba34c2e74475587e38c74c90c2934e69c8779",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/bd2ba34c2e74475587e38c74c90c2934e69c8779"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/c9c30cdc48afae57cd6ab012ae2eceafd351a40e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/c9c30cdc48afae57cd6ab012ae2eceafd351a40e"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-x373-8j9j-g5pj",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34602",
"datePublished": "2026-04-14T21:29:06.585Z",
"dateReserved": "2026-03-30T17:15:52.500Z",
"dateUpdated": "2026-04-15T13:32:34.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34370 (GCVE-0-2026-34370)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:25 – Updated: 2026-04-14 21:25
VLAI?
Title
Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker\u0027s browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:25:28.960Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fm35-2hvw-564q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fm35-2hvw-564q"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-fm35-2hvw-564q",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users\u0027 private notes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34370",
"datePublished": "2026-04-14T21:25:28.960Z",
"dateReserved": "2026-03-27T13:43:14.369Z",
"dateUpdated": "2026-04-14T21:25:28.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34161 (GCVE-0-2026-34161)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:12 – Updated: 2026-04-14 21:12
VLAI?
Title
Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application\u0027s origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:12:48.128Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-273p-jw9w-3g22",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-273p-jw9w-3g22"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/7c4965e48769d1d06413836429e386816a465c7f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/7c4965e48769d1d06413836429e386816a465c7f"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/da671d66a146887be3a16eabc5dcf0a92c55f7da",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/da671d66a146887be3a16eabc5dcf0a92c55f7da"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-273p-jw9w-3g22",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34161",
"datePublished": "2026-04-14T21:12:48.128Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-04-14T21:12:48.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34160 (GCVE-0-2026-34160)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:09 – Updated: 2026-04-15 14:26
VLAI?
Title
Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services
Summary
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
8.6 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:26:08.076970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:26:33.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:09:36.832Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-g2xj-4cch-j276",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34160",
"datePublished": "2026-04-14T21:09:36.832Z",
"dateReserved": "2026-03-25T20:12:04.197Z",
"dateUpdated": "2026-04-15T14:26:33.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33715 (GCVE-0-2026-33715)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:05 – Updated: 2026-04-15 13:37
VLAI?
Title
Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action
Summary
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.
Severity ?
7.2 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
>= 2.0-RC.2, < 2.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:36:55.706592Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:37:16.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0-RC.2, \u003c 2.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server\u0027s IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:05:35.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3"
}
],
"source": {
"advisory": "GHSA-mxc9-9335-45mc",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33715",
"datePublished": "2026-04-14T21:05:35.043Z",
"dateReserved": "2026-03-23T17:06:05.748Z",
"dateUpdated": "2026-04-15T13:37:16.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33714 (GCVE-0-2026-33714)
Vulnerability from cvelistv5 – Published: 2026-04-14 21:00 – Updated: 2026-04-14 21:00
VLAI?
Title
Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)
Summary
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
>= 2.0.0-RC.2, < 2.0.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-RC.2, \u003c 2.0.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T21:00:19.259Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0"
}
],
"source": {
"advisory": "GHSA-w8c4-c7r8-qgw2",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33714",
"datePublished": "2026-04-14T21:00:19.259Z",
"dateReserved": "2026-03-23T17:06:05.747Z",
"dateUpdated": "2026-04-14T21:00:19.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33737 (GCVE-0-2026-33737)
Vulnerability from cvelistv5 – Published: 2026-04-10 19:05 – Updated: 2026-04-13 16:02
VLAI?
Title
Chamilo LMS has an XML External Entity (XXE) Injection
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
5.3 (Medium)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:01:59.171472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:02:10.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:05:08.873Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3"
}
],
"source": {
"advisory": "GHSA-c4ww-qgf2-v89j",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an XML External Entity (XXE) Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33737",
"datePublished": "2026-04-10T19:05:08.873Z",
"dateReserved": "2026-03-23T17:34:57.561Z",
"dateUpdated": "2026-04-13T16:02:10.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33736 (GCVE-0-2026-33736)
Vulnerability from cvelistv5 – Published: 2026-04-10 19:03 – Updated: 2026-04-13 20:55
VLAI?
Title
Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure
Summary
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.
Severity ?
6.5 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
>= 2.0.0-alpha.1, < 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T20:55:38.682772Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:55:46.727Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T19:03:18.638Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109"
}
],
"source": {
"advisory": "GHSA-fp2p-fj6c-x3x9",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33736",
"datePublished": "2026-04-10T19:03:18.638Z",
"dateReserved": "2026-03-23T17:34:57.561Z",
"dateUpdated": "2026-04-13T20:55:46.727Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33710 (GCVE-0-2026-33710)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:59 – Updated: 2026-04-13 15:36
VLAI?
Title
Chamilo LMS has Weak REST API Key Generation (Predictable)
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.5 (High)
CWE
- CWE-330 - Use of Insufficiently Random Values
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T12:51:59.204900Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:06.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:59:24.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d"
}
],
"source": {
"advisory": "GHSA-rpmg-j327-mr39",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Weak REST API Key Generation (Predictable)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33710",
"datePublished": "2026-04-10T18:59:24.111Z",
"dateReserved": "2026-03-23T17:06:05.747Z",
"dateUpdated": "2026-04-13T15:36:06.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33708 (GCVE-0-2026-33708)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:54 – Updated: 2026-04-15 15:04
VLAI?
Title
Chamilo LMS has REST API PII Exposure via get_user_info_from_username
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T15:03:48.949171Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:04:02.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:54:35.034Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2"
}
],
"source": {
"advisory": "GHSA-qwch-82q9-q999",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has REST API PII Exposure via get_user_info_from_username"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33708",
"datePublished": "2026-04-10T18:54:35.034Z",
"dateReserved": "2026-03-23T17:06:05.747Z",
"dateUpdated": "2026-04-15T15:04:02.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33707 (GCVE-0-2026-33707)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:52 – Updated: 2026-04-13 16:03
VLAI?
Title
Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
9.4 (Critical)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:03:02.867530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:03:17.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user\u0027s email can compute the reset token and change the victim\u0027s password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:52:54.097Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c"
}
],
"source": {
"advisory": "GHSA-f27g-66gq-g7v2",
"discovery": "UNKNOWN"
},
"title": "Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33707",
"datePublished": "2026-04-10T18:52:54.097Z",
"dateReserved": "2026-03-23T17:06:05.747Z",
"dateUpdated": "2026-04-13T16:03:17.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33706 (GCVE-0-2026-33706)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:51 – Updated: 2026-04-14 14:02
VLAI?
Title
Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.
Severity ?
7.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33706",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:01:58.335604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:02:07.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:51:23.824Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127"
}
],
"source": {
"advisory": "GHSA-3gqc-xr75-pcpw",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has a REST API Self-Privilege Escalation (Student \u2192 Teacher)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33706",
"datePublished": "2026-04-10T18:51:23.824Z",
"dateReserved": "2026-03-23T17:06:05.747Z",
"dateUpdated": "2026-04-14T14:02:07.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33705 (GCVE-0-2026-33705)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:32 – Updated: 2026-04-15 15:02
VLAI?
Title
Chamilo LMS has unauthenticated access to Twig template source files exposes application logic
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
Severity ?
5.3 (Medium)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T15:02:23.156125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:02:39.017Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:33:44.062Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff"
}
],
"source": {
"advisory": "GHSA-5wjg-8x28-px57",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has unauthenticated access to Twig template source files exposes application logic"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33705",
"datePublished": "2026-04-10T18:32:45.193Z",
"dateReserved": "2026-03-23T17:06:05.746Z",
"dateUpdated": "2026-04-15T15:02:39.017Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33704 (GCVE-0-2026-33704)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:30 – Updated: 2026-04-13 16:04
VLAI?
Title
Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.
Severity ?
7.1 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T16:04:02.438980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T16:04:11.514Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:30:48.478Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00"
}
],
"source": {
"advisory": "GHSA-phfx-pwwg-945v",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33704",
"datePublished": "2026-04-10T18:30:48.478Z",
"dateReserved": "2026-03-23T17:06:05.746Z",
"dateUpdated": "2026-04-13T16:04:11.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33703 (GCVE-0-2026-33703)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:23 – Updated: 2026-04-14 14:05
VLAI?
Title
Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens
Summary
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:05:15.563101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:05:24.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:23:01.031Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5"
}
],
"source": {
"advisory": "GHSA-27x6-c5c7-gpf5",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users\u2019 Personal Data and API Tokens"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33703",
"datePublished": "2026-04-10T18:23:01.031Z",
"dateReserved": "2026-03-23T17:06:05.746Z",
"dateUpdated": "2026-04-14T14:05:24.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33702 (GCVE-0-2026-33702)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:15 – Updated: 2026-04-13 15:36
VLAI?
Title
Chamilo LMS has an Insecure Direct Object Reference (IDOR)
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:28:28.539478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:13.742Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user\u0027s Learning Path progress \u2014 including score, status, completion, and time \u2014 without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user\u0027s Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:15:49.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551"
}
],
"source": {
"advisory": "GHSA-3rv7-9fhx-j654",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an Insecure Direct Object Reference (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33702",
"datePublished": "2026-04-10T18:15:49.964Z",
"dateReserved": "2026-03-23T17:06:05.746Z",
"dateUpdated": "2026-04-13T15:36:13.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33698 (GCVE-0-2026-33698)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:14 – Updated: 2026-04-15 15:00
VLAI?
Title
Chamilo LMS affected by unauthenticated RCE in main/install folder
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.
Severity ?
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:58:47.855787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T15:00:31.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552: Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:14:17.424Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51"
}
],
"source": {
"advisory": "GHSA-557g-2w66-gpmf",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS affected by unauthenticated RCE in main/install folder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33698",
"datePublished": "2026-04-10T18:14:17.424Z",
"dateReserved": "2026-03-23T17:06:05.746Z",
"dateUpdated": "2026-04-15T15:00:31.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33618 (GCVE-0-2026-33618)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:10 – Updated: 2026-04-10 18:46
VLAI?
Title
Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
Summary
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.
Severity ?
8.8 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
>= 2.0.0-alpha.1, < 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33618",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T18:46:00.091797Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:46:09.585Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP\u0027s eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:10:16.691Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b"
}
],
"source": {
"advisory": "GHSA-hp4w-jmwc-pg7w",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33618",
"datePublished": "2026-04-10T18:10:16.691Z",
"dateReserved": "2026-03-23T14:24:11.616Z",
"dateUpdated": "2026-04-10T18:46:09.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33141 (GCVE-0-2026-33141)
Vulnerability from cvelistv5 – Published: 2026-04-10 18:01 – Updated: 2026-04-14 14:06
VLAI?
Title
Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data
Summary
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.
Severity ?
6.5 (Medium)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:05:56.361338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:06:11.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user\u0027s learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:01:26.027Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80"
}
],
"source": {
"advisory": "GHSA-j2pr-2r5w-jrpj",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User\u0027s Learning Data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33141",
"datePublished": "2026-04-10T18:01:26.027Z",
"dateReserved": "2026-03-17T20:35:49.929Z",
"dateUpdated": "2026-04-14T14:06:11.889Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32892 (GCVE-0-2026-32892)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:56 – Updated: 2026-04-14 14:07
VLAI?
Title
OS Command Injection in Chamilo LMS 1.11.36
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
9.1 (Critical)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:07:07.082335Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:07:14.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter \u2014 which only passes through Security::remove_XSS() (an HTML-only filter) \u2014 is concatenated directly into shell commands such as exec(\"mv $source $target\"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:56:57.695Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1"
}
],
"source": {
"advisory": "GHSA-59cv-qh65-vvrr",
"discovery": "UNKNOWN"
},
"title": "OS Command Injection in Chamilo LMS 1.11.36"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32892",
"datePublished": "2026-04-10T17:56:57.695Z",
"dateReserved": "2026-03-16T21:03:44.422Z",
"dateUpdated": "2026-04-14T14:07:14.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32932 (GCVE-0-2026-32932)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:51 – Updated: 2026-04-13 15:36
VLAI?
Title
Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
4.7 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32932",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T12:52:22.657541Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:22.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker\u0027s server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:51:58.480Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b"
}
],
"source": {
"advisory": "GHSA-q2cp-3qj3-wx8q",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an Open Redirect via Unvalidated \u0027page\u0027 Parameter in Session Course Edit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32932",
"datePublished": "2026-04-10T17:51:58.480Z",
"dateReserved": "2026-03-17T00:05:53.282Z",
"dateUpdated": "2026-04-13T15:36:22.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32931 (GCVE-0-2026-32931)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:50 – Updated: 2026-04-15 14:56
VLAI?
Title
Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.5 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32931",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:52:59.648858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:56:10.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:50:40.176Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3"
}
],
"source": {
"advisory": "GHSA-863j-h6pf-3xhx",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32931",
"datePublished": "2026-04-10T17:50:40.176Z",
"dateReserved": "2026-03-17T00:05:53.282Z",
"dateUpdated": "2026-04-15T14:56:10.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32930 (GCVE-0-2026-32930)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:48 – Updated: 2026-04-10 18:32
VLAI?
Title
Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T18:32:00.471726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:32:13.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:48:51.774Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d"
}
],
"source": {
"advisory": "GHSA-9h22-wrg7-82q6",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32930",
"datePublished": "2026-04-10T17:48:51.774Z",
"dateReserved": "2026-03-17T00:05:53.281Z",
"dateUpdated": "2026-04-10T18:32:13.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32894 (GCVE-0-2026-32894)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:44 – Updated: 2026-04-13 15:36
VLAI?
Title
Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.1 (High)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32894",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:28:29.597656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:28.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student\u0027s grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:44:24.994Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519"
}
],
"source": {
"advisory": "GHSA-rqpg-p95v-fv98",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student\u0027s Grade Result"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32894",
"datePublished": "2026-04-10T17:44:24.994Z",
"dateReserved": "2026-03-16T21:03:44.422Z",
"dateUpdated": "2026-04-13T15:36:28.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32893 (GCVE-0-2026-32893)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:42 – Updated: 2026-04-15 14:51
VLAI?
Title
Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination
Summary
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
>= 2.0.0-alpha.1, < 2.0.0-RC.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T14:50:51.197029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T14:51:41.852Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher\u0027s browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:42:24.220Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276"
}
],
"source": {
"advisory": "GHSA-37jh-g64j-88mc",
"discovery": "UNKNOWN"
},
"title": "Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32893",
"datePublished": "2026-04-10T17:42:24.220Z",
"dateReserved": "2026-03-16T21:03:44.422Z",
"dateUpdated": "2026-04-15T14:51:41.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31941 (GCVE-0-2026-31941)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:37 – Updated: 2026-04-10 18:33
VLAI?
Title
Server-Side Request Forgery (SSRF) in Chamilo LMS
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.7 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T18:33:07.577004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T18:33:22.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:37:50.948Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead"
}
],
"source": {
"advisory": "GHSA-q74c-mx8x-489h",
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery (SSRF) in Chamilo LMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31941",
"datePublished": "2026-04-10T17:37:50.948Z",
"dateReserved": "2026-03-10T15:10:10.655Z",
"dateUpdated": "2026-04-10T18:33:22.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31940 (GCVE-0-2026-31940)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:35 – Updated: 2026-04-14 14:12
VLAI?
Title
Session Fixation in Chamilo LMS
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Severity ?
7.5 (High)
CWE
- CWE-384 - Session Fixation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
Affected: >= 2.0.0-alpha.1, < 2.0.0-RC.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T14:12:20.377261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T14:12:28.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-alpha.1, \u003c 2.0.0-RC.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:35:10.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869"
}
],
"source": {
"advisory": "GHSA-4gp7-cfjh-77gv",
"discovery": "UNKNOWN"
},
"title": "Session Fixation in Chamilo LMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31940",
"datePublished": "2026-04-10T17:35:10.661Z",
"dateReserved": "2026-03-10T15:10:10.655Z",
"dateUpdated": "2026-04-14T14:12:28.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31939 (GCVE-0-2026-31939)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:32 – Updated: 2026-04-13 15:36
VLAI?
Title
Path Traversal (Arbitrary File Delete) in Chamilo LMS
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.
Severity ?
8.3 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chamilo | chamilo-lms |
Affected:
< 1.11.38
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31939",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:28:30.583098Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:36:34.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "chamilo-lms",
"vendor": "chamilo",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST[\u0027test\u0027] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:32:29.252Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"
},
{
"name": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78"
},
{
"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38"
}
],
"source": {
"advisory": "GHSA-8q8c-v75x-q2hx",
"discovery": "UNKNOWN"
},
"title": "Path Traversal (Arbitrary File Delete) in Chamilo LMS"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31939",
"datePublished": "2026-04-10T17:32:29.252Z",
"dateReserved": "2026-03-10T15:10:10.655Z",
"dateUpdated": "2026-04-13T15:36:34.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}