Is PHP affected by CVE-2026-33618?

Chamilo LMS versions before 2.0.0-RC.3 contain a critical remote code execution vulnerability in platform configuration handling that allows authenticated administrative users to execute arbitrary PHP code, resulting in complete system compromise.

CVE-2026-33618

EUVD-2026-21537 HIGH

2026-04-10 GitHub_M

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 10, 2026 - 18:45 vuln.today

EUVD ID Assigned

Apr 10, 2026 - 18:45 euvd

EUVD-2026-21537

CVE Published

Apr 10, 2026 - 18:10 nvd

HIGH 8.8

Description

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.

Analysis

Remote code execution in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated attackers with administrative privileges to inject and execute arbitrary PHP code via platform configuration settings. The PlatformConfigurationController::decodeSettingArray() method unsafely uses eval() to parse database-stored settings, executing injected code when any user-including unauthenticated visitors-accesses the /platform-config/list endpoint. …

Remediation

Within 24 hours: inventory all Chamilo LMS installations and identify versions prior to 2.0.0-RC.3; immediately restrict administrative access to the platform and disable non-essential administrative accounts pending remediation. Within 7 days: upgrade all affected Chamilo instances to version 2.0.0-RC.3 or later following vendor deployment procedures; validate successful upgrade completion and administrative functionality. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2026-33618 vulnerability details – vuln.today

Back

CVE-2026-33618

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-33618

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code