Skip to main content

Chamilo Lms CVE-2026-33737

| EUVDEUVD-2026-21569 MEDIUM
Improper Restriction of XML External Entity Reference (CWE-611)
2026-04-10 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3,1.11.38
EUVD ID Assigned
Apr 10, 2026 - 19:22 euvd
EUVD-2026-21569
Analysis Generated
Apr 10, 2026 - 19:22 vuln.today
CVE Published
Apr 10, 2026 - 19:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

AnalysisAI

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability stems from CWE-611 (Improper Restriction of XML External Entity Reference) in which multiple PHP files within Chamilo LMS invoke simplexml_load_string() without disabling XXE processing. When the LIBXML_NOENT flag is set, the XML parser automatically expands external entity declarations, allowing attackers to craft malicious XML payloads that reference local file paths (e.g., file:// URIs). The PHP SimpleXML extension, when configured this way, will resolve these entities and load arbitrary files from the server filesystem into the XML document structure, enabling file disclosure. This is a classic XXE vulnerability pattern affecting server-side XML processing without proper entity expansion controls.

RemediationAI

Upgrade Chamilo LMS to version 1.11.38 (for the 1.11.x branch) or 2.0.0-RC.3 or later (for the 2.0.x branch). The vendor has released patched versions available at the GitHub repository. For environments unable to upgrade immediately, review and disable the LIBXML_NOENT flag in all simplexml_load_string() calls, and implement XXE protection by explicitly disabling external entity expansion via libxml_disable_entity_loader(true) and setting appropriate LoadEntity callbacks. Consult the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j for detailed patch references and commit history (commits 22b1cb1c609b643765c88654155aba27070c927e and af6b7002af7c15825e98fc522e2ead0d00cacaa3).

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-33737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy