SB20260424128 - Multiple vulnerabilities in Chamilo LMS



SB20260424128 - Multiple vulnerabilities in Chamilo LMS

Published: April 24, 2026

Security Bulletin ID SB20260424128
CSH Severity
High
Patch available
YES
Number of vulnerabilities 13
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 15% Medium 23% Low 62%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 13 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-33698)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper access control in the main/install directory when accessing otherwise-blocked PHP code. A remote attacker can enable PHP code in that directory and modify existing files or create new files to execute arbitrary code.

Only portals with the main/install/ directory still present and readable are vulnerable.


2) Missing Authorization (CVE-ID: CVE-2026-33708)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing authorization in the get_user_info_from_username REST API endpoint when handling authenticated requests for user information by username. A remote user can send a crafted API request with a target username to disclose sensitive information.

The endpoint returns email address, first name, last name, user ID, username, and active status for arbitrary users.


3) Use of insufficiently random values (CVE-ID: CVE-2026-33710)

CWE-ID: CWE-330 - Use of Insufficiently Random Values

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to use of insufficiently random values in REST API key generation in main/inc/lib/usermanager.lib.php when generating API keys. A remote attacker can brute-force a predictable API key to disclose sensitive information.

Exploitation requires knowledge of a username and an approximate API key creation time.


4) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2026-33707)

CWE-ID: CWE-640 - Weak password recovery mechanism

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to take over arbitrary user accounts.

The vulnerability exists due to a weak password recovery mechanism in main/inc/lib/login.lib.php when processing password reset requests. A remote attacker can compute a deterministic reset token from a known email address and submit a crafted password reset request to take over arbitrary user accounts.

This issue affects the default password reset path when the user_reset_password setting is disabled, and no prior reset request or user interaction is required.


5) Improper privilege management (CVE-ID: CVE-2026-33706)

CWE-ID: CWE-269 - Improper Privilege Management

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper privilege management in the update_user_from_username endpoint when handling REST API requests to modify a user's own profile. A remote user can modify the status field to escalate privileges.

Exploitation requires a valid REST API key.


6) File And Directory Information Exposure (CVE-ID: CVE-2026-33705)

CWE-ID: CWE-538 - File And Directory Information Exposure

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into externally-accessible files in Twig template source files under /main/template/default/ when handling HTTP GET requests for .tpl files. A remote attacker can request directly accessible template files to disclose sensitive information.

The exposed files reveal internal application logic, variable names, AJAX endpoint URLs, admin panel structure, and permission check logic.


7) Arbitrary file upload (CVE-ID: CVE-2026-33704)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to write arbitrary files and execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the BigUpload endpoint when handling crafted upload requests. A remote user can send a specially crafted request to write arbitrary files and execute arbitrary code.

Code execution is possible on Apache configurations where .pht files are handled as PHP. Path traversal is blocked, limiting writes to the cache directory.


8) XML External Entity injection (CVE-ID: CVE-2026-33737)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of xml external entity reference in simplexml_load_string() usage within XML-processing files when parsing crafted XML input. A remote user can submit a specially crafted XML document to disclose sensitive information.

Exploitation may allow server-side file read, and the risk increases if the LIBXML_NOENT flag is used or libxml configuration changes.


9) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33702)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify another user's learning path progress data.

The vulnerability exists due to authorization bypass through user-controlled key in main/lp/lp_ajax_save_item.php when handling requests that supply the uid parameter. A remote user can send a specially crafted request with another user's uid to modify another user's learning path progress data.

Authentication is required, and any enrolled user in the course can exploit the issue.


10) Open redirect (CVE-ID: CVE-2026-32932)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to redirect a user to an arbitrary external site and disclose sensitive information.

The vulnerability exists due to url redirection to an untrusted site in public/main/session/session_course_edit.php when processing a user-supplied page parameter during session course edit operations. A remote attacker can supply a crafted page parameter to redirect a user to an arbitrary external site and disclose sensitive information.

User interaction is required, and the redirect appends the id_session parameter to the destination URL.


11) Arbitrary file upload (CVE-ID: CVE-2026-32931)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the Exercise::updateSound() function in public/main/exercise/exercise.class.php when handling exercise sound uploads. A remote user can upload a PHP file with a spoofed Content-Type header to execute arbitrary code.

The uploaded file retains its original .php extension and is placed in a web-accessible directory.


12) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32930)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to view and modify evaluation settings in other courses.

The vulnerability exists due to authorization bypass through a user-controlled key in public/main/gradebook/gradebook_edit_eval.php when processing the editeval GET parameter. A remote user can manipulate the editeval parameter to view and modify evaluation settings in other courses.

Evaluation IDs are sequential integers, which makes them easily enumerable.


13) OS Command Injection (CVE-ID: CVE-2026-32892)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary os commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in main/inc/lib/fileManage.lib.php function move() when handling document move requests via document.php. A remote privileged user can send a specially crafted move_to parameter to execute arbitrary os commands.

Exploitation requires the ability to move documents in a course, and the attacker must first place a directory with shell metacharacters in its name on the filesystem, such as through course backup import.


Remediation

Install update from vendor's website.