CVE-2026-33618

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description Chamilo LMS, a learning management system, has an issue where the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() function to process platform settings retrieved from the database. An attacker with administrator privileges can inject arbitrary PHP code into these settings. This injected code is then executed when any user, even unauthenticated ones, accesses the '/platform-config/list' API endpoint. This allows for remote code execution.

Recommendations Upgrade to version 2.0.0-RC.3 or later.