Description
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.
Published: 2026-04-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS versions prior to 1.11.38 contain a chained attack that allows an unauthenticated attacker to execute PHP code located in the main/install directory, thereby enabling creation or modification of files where system permissions permit. The flaw is classified under CWE-552, indicating that it exploits an application component that was not meant to process user‑supplied code, resulting in arbitrary code execution on the web server.

Affected Systems

All releases of Chamilo LMS older than 1.11.38 are affected, but only installations that still expose the main/install subdirectory to external users are vulnerable. Users should verify the presence of this directory and its read permissions before proceeding.

Risk and Exploitability

The CVSS base score of 9.3 signals critical severity, and while no EPSS score is published, the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires only unauthenticated HTTP access to the exposed install folder; once an attacker delivers PHP code to that location, it runs with the web server’s privileges, potentially giving full administrative or system control.

Generated by OpenCVE AI on April 10, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or newer
  • Remove the main/install directory if it is no longer required
  • Restrict or disable web access to the install folder so it is not world‑readable
  • Configure the web server to disable directory listing for the install directory
  • Inspect the platform for unexpected file modifications and restore any reverted changes
  • Monitor logs for anomalous PHP execution attempts

Generated by OpenCVE AI on April 10, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.
Title Chamilo LMS affected by unauthenticated RCE in main/install folder
Weaknesses CWE-552
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T15:00:31.550Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33698

cve-icon Vulnrichment

Updated: 2026-04-15T15:00:25.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:23.033

Modified: 2026-04-16T18:48:33.323

Link: CVE-2026-33698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:49Z

Weaknesses