Description
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Chamilo Learning Management System allows an attacker to retrieve Twig template files without authentication. These files reveal internal application logic, variable names, AJAX endpoint URLs, and the structure of the administrative interface, constituting a form of information disclosure that could assist an adversary in understanding the system and planning further attacks.

Affected Systems

The vulnerability affects Chamilo LMS releases earlier than version 1.11.38. Users operating any of those earlier releases have direct HTTP access to the /main/template/default/ directory where the .tpl files reside.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity risk. No EPSS data is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP GET request to a template file path, making it straightforward to discover. The primary impact is information disclosure, but the lack of authentication barriers makes the risk moderate enough to warrant prompt remediation.

Generated by OpenCVE AI on April 10, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or later to eliminate the exposed template files
  • Reconfigure the web server to deny HTTP GET requests to the /main/template/default/ directory if upgrading immediately is not possible
  • Confirm that the directory is indeed protected after applying the new configuration
  • Review web access logs for attempts to retrieve .tpl files and investigate suspicious activity
  • Apply any future vendor security updates as they become available

Generated by OpenCVE AI on April 10, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
Title Chamilo LMS has unauthenticated access to Twig template source files exposes application logic
Weaknesses CWE-538
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T15:02:39.017Z

Reserved: 2026-03-23T17:06:05.746Z

Link: CVE-2026-33705

cve-icon Vulnrichment

Updated: 2026-04-15T15:02:35.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:23.653

Modified: 2026-04-16T18:29:46.540

Link: CVE-2026-33705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:44Z

Weaknesses