Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read Server Files via XML External Entity injection
Action: Patch
AI Analysis

Impact

SimpleXML is used to parse XML without protection, allowing a crafted XML document to request any file on the server through the LIBXML_NOENT flag. This flaw can expose sensitive configuration files, source code, or other private data and is classified as CWE‑611, XML External Entity Injection.

Affected Systems

Chamilo Learning Management System – versions earlier than 1.11.38 and 2.0.0‑RC.3 are affected. Any installation that processes XML with simplexml_load_string is vulnerable, regardless of the deployment environment.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity, primarily due to the potential for information disclosure. Exploitation requires sending a malicious XML payload to the LMS; the attack vector is inferred to be remote via network if the LMS exposes any XML processing endpoints. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation but still requiring prompt remediation.

Generated by OpenCVE AI on April 10, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chamilo LMS to version 1.11.38 or later, or 2.0.0‑RC.3 or later

Generated by OpenCVE AI on April 10, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has an XML External Entity (XXE) Injection
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T16:02:10.691Z

Reserved: 2026-03-23T17:34:57.561Z

Link: CVE-2026-33737

cve-icon Vulnrichment

Updated: 2026-04-13T16:02:05.594Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T19:16:24.560

Modified: 2026-04-16T18:22:09.780

Link: CVE-2026-33737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:37Z

Weaknesses