Skip to main content

Chamilo Lms CVE-2026-33705

| EUVDEUVD-2026-21557 MEDIUM
Insertion of Sensitive Information into Externally-Accessible File (CWE-538)
2026-04-10 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.11.38
EUVD ID Assigned
Apr 10, 2026 - 19:22 euvd
EUVD-2026-21557
Analysis Generated
Apr 10, 2026 - 19:22 vuln.today
CVE Published
Apr 10, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.

AnalysisAI

Chamilo LMS versions prior to 1.11.38 expose Twig template files (.tpl) in the /main/template/default/ directory to unauthenticated HTTP GET requests, allowing remote attackers to disclose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure without authentication. This information disclosure vulnerability has a CVSS score of 5.3 with confirmed patch availability in version 1.11.38.

Technical ContextAI

Chamilo LMS uses Twig templating engine for dynamic content rendering. Template files (.tpl) located in /main/template/default/ are intended for server-side processing and contain embedded application logic, variable references, and API endpoints. The vulnerability arises from inadequate web server access controls or framework routing logic that fails to restrict direct HTTP access to these template files. CWE-538 (Information Exposure Through Persistent Cookies) is referenced, though the root cause appears to be improper directory/file access controls rather than cookie-specific exposure. Attackers can simply request template files via standard HTTP GET, bypassing the authentication mechanisms that protect compiled or rendered output. The exposure of AJAX endpoint URLs and admin panel structure significantly increases the attack surface for secondary exploitation (privilege escalation, CSRF, XSS, or other attacks targeting identified endpoints).

RemediationAI

Upgrade Chamilo LMS to version 1.11.38 or later, which includes access control fixes preventing direct HTTP access to template files in /main/template/default/. Install the patched version by downloading the release from the official GitHub repository (https://github.com/chamilo/chamilo-lms) or applying the security advisory patch documented at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57. As an interim workaround pending patch deployment, configure your web server (Apache/Nginx) to block direct requests to .tpl files by implementing access control rules (e.g., Apache .htaccess or Nginx location blocks) that deny GET/HEAD requests to /main/template/default/*.tpl and similar template directories. Verify remediation by attempting to fetch a template file directly (e.g., http://your-chamilo-instance/main/template/default/index.tpl) and confirming a 403 Forbidden response.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy