CVE-2026-33618

Source
https://cve.org/CVERecord?id=CVE-2026-33618
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33618.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33618
Aliases
  • GHSA-hp4w-jmwc-pg7w
Published
2026-04-10T18:10:16.691Z
Modified
2026-07-15T01:49:14.342445088Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
Details

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33618.json",
    "cwe_ids": [
        "CWE-95"
    ]
}
References

Affected packages

Git / github.com/chamilo/chamilo-lms

Affected ranges

Type
GIT
Repo
https://github.com/chamilo/chamilo-lms
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "2.0.0-alpha.1"
        },
        {
            "fixed": "2.0.0-RC.3"
        }
    ]
}

Affected versions

v2.*
v2.0.0-RC.1
v2.0.0-RC.2
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33618.json"