CVE-2026-33141

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description Chamilo LMS, a learning management system, contains an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint. This allows any authenticated user, even those with low privileges (ROLE USER), to access another user's learning progress, certificates, and gradebook scores for any course, regardless of enrollment or supervisory status.

Recommendations Update to version 2.0.0-RC.3 or later.