Description
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.
Published: 2026-04-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS, an open‑source learning management system, contains a flaw in the PlatformConfigurationController::decodeSettingArray() method, where PHP's eval() is used to parse platform settings stored in the database. An attacker with administrative access can inject arbitrary PHP code into these settings. When any user, even unauthenticated, invokes the /platform-config/list endpoint, the injected code is executed on the server. This allows full code execution on the host and is classified as a Remote Code Execution vulnerability based on CWE‑95.

Affected Systems

All releases of Chamilo LMS up to, but not including, 2.0.0‑RC.3 are vulnerable. The flaw exists in the core PlatformConfigurationController component of the Chamilo LMS product. The fix was introduced in version 2.0.0‑RC.3. Administrators of installations older than this version should evaluate the need for an upgrade.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Because injection requires administrative privileges, an attacker must first compromise or gain admin access—an event that may be facilitated by other weaknesses such as weak passwords. Once code is injected, its execution is triggered by any request to /platform-config/list, which is reachable by unauthenticated users, increasing the attack surface. Consequently, the risk remains high until a patch is applied.

Generated by OpenCVE AI on April 10, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or newer.
  • Restrict access to the /platform-config/list endpoint to authenticated users only and ensure the admin interface is protected by strong passwords and multi‑factor authentication.

Generated by OpenCVE AI on April 10, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.
Title Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:46:09.585Z

Reserved: 2026-03-23T14:24:11.616Z

Link: CVE-2026-33618

cve-icon Vulnrichment

Updated: 2026-04-10T18:46:06.421Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:22.853

Modified: 2026-04-17T22:03:07.113

Link: CVE-2026-33618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:51Z

Weaknesses