CVE-2026-33618HIGH 8.8EPSS p23.4%

CVE-2026-33618CVE-2026-33618

Description

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.32% probability of exploitation · percentile 23.4% · 2026-06-18T12:00:27Z
Published2026-04-10
Last modified2026-04-17

Underlying weaknesses· 1

CWE-95

References

  1. https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b
  2. https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')cwe-950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33698
CVE
CVE-2026-35196
CVE
CVE-2025-50189
CVE
CVE-2026-30881
CVE
CVE-2025-50187
CVE
CVE-2026-31940
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.