XXE Vulnerability in Chamilo LMS Affects Multiple Versions
CVE-2026-33737

5.3MEDIUM

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-33737?

Chamilo LMS, a learning management system, is affected by a vulnerability due to the improper use of the simplexml_load_string() function in multiple files. This oversight allows an attacker to exploit the LIBXML_NOENT flag, potentially leading to the exposure of arbitrary server files. Versions prior to 1.11.38 and 2.0.0-RC.3 are susceptible to this issue, which has been rectified in the latest releases. Users of Chamilo LMS are advised to upgrade to these versions to mitigate the associated risks.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/af6b7002af7...
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.