PT-2026-32026 · Unknown · Chamilo Lms
Published
2026-04-10
·
Updated
2026-04-10
·
CVE-2026-33737
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Chamilo LMS versions prior to 1.11.38 and prior to 2.0.0-RC.3
Description
Chamilo LMS uses the
simplexml load string() function without proper XML External Entity (XXE) protection in multiple files. When the LIBXML NOENT flag is not set, this allows an attacker to read arbitrary server files.Recommendations
Update to version 1.11.38 or later.
Update to version 2.0.0-RC.3 or later.
Fix
XXE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Chamilo Lms