Vulnerability in Chamilo LMS Learning Management System Allows Unauthorized File Modification
CVE-2026-33698

9.3CRITICAL

Key Information:

Vendor: Chamilo
Status: Chamilo-lms
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-33698?

Chamilo LMS, a popular learning management system, is susceptible to a file modification vulnerability that occurs when the 'main/install/' directory remains present and accessible. This issue allows an unauthenticated attacker to execute a chained attack, enabling them to bypass existing security measures and modify files or create new ones as permitted by system permissions. The vulnerability is mitigated in version 1.11.38, making it essential for users to update to this version to safeguard their systems.

Affected Version(s)

chamilo-lms < 1.11.38

References

https://github.com/chamilo/chamilo-lms/security/advisorie...

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/commit/d3355d7873c...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33698 Data

JSON