CVE-2026-33708

Source
https://cve.org/CVERecord?id=CVE-2026-33708
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33708.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33708
Aliases
  • GHSA-qwch-82q9-q999
Published
2026-04-10T18:54:35.034Z
Modified
2026-07-08T08:12:49.259369965Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Chamilo LMS has REST API PII Exposure via get_user_info_from_username
Details

Chamilo LMS is a learning management system. Prior to 1.11.38, the getuserinfofromusername REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33708.json"
}
References

Affected packages

Git / github.com/chamilo/chamilo-lms

Affected ranges

Type
GIT
Repo
https://github.com/chamilo/chamilo-lms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.38"
        }
    ],
    "cpe": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other
CHAMILO_1_8_7_ALPHA_1
CHAMILO_1_8_7_ALPHA_2
CHAMILO_1_8_7_RC2
CHAMILO_1_8_7_RC_1
CHAMILO_1_8_7_STABLE
CHAMILO_1_8_7_STABLE_BIS
CHAMILO_1_8_8_2_RC_1
CHAMILO_1_8_8_2_STABLE
CHAMILO_1_8_8_2_STABLE_2
CHAMILO_1_8_8_4_STABLE
CHAMILO_1_8_8_ALPHA
CHAMILO_1_8_8_BETA_1
CHAMILO_1_8_8_BETA_2
CHAMILO_1_9_0_ALPHA_1
CHAMILO_1_9_0_ALPHA_2
CHAMILO_1_9_0_ALPHA_4
CHAMILO_1_9_0_PRE_ALPHA
CHAMILO_1_9_0_RC_1
CHAMILO_1_9_0_STABLE_2
CHAMILO_1_9_0_STABLE_3
CHAMILO_1_9_2_STABLE
CHAMILO_1_9_2_STABLE_QUARTER
CHAMILO_1_9_4_ALPHA_1
CHAMILO_1_9_4_RC_1
CHAMILO_1_9_4_STABLE
CHAMILO_1_9_6_RC_1
CHAMILO_1_9_6_RC_2
CHAMILO_1_9_6_STABLE
CHAMILO_1_8_8.*
CHAMILO_1_8_8.3_STABLE_4
v1.*
v1.11.10
v1.11.12
v1.11.14
v1.11.14-beta.1
v1.11.18
v1.11.20
v1.11.20-beta.1
v1.11.22
v1.11.22-beta.1
v1.11.22-beta.2
v1.11.24
v1.11.26
v1.11.26-rc.1
v1.11.28
v1.11.30
v1.11.30-rc.1
v1.11.32
v1.11.36
v1.11.6
v1.11.6-alpha.1
v1.8.6.1
v1.9.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33708.json"