CVE-2026-33618
Arbitrary Code Execution via eval() in Chamilo LMS Settings
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33618 is a high-severity remote code execution (RCE) vulnerability in Chamilo LMS versions greater than 1.11.* up to 2.0-RC.2. The vulnerability exists in the PlatformConfigurationController::decodeSettingArray() method, which uses PHP's eval() function to parse platform settings retrieved from the database.
If an attacker has administrative access, they can inject arbitrary PHP code into the platform settings stored in the database. This injected code is then executed whenever any user, including unauthenticated users, accesses the /platform-config/list route, which does not require authentication.
The root cause is improper sanitization of user-controlled input before passing it to eval(), leading to arbitrary code execution under the web server user.
How can this vulnerability impact me? :
This vulnerability allows an attacker with admin access to execute arbitrary system commands on the server running Chamilo LMS.
- Full remote code execution under the www-data user.
- Ability to read sensitive files such as .env files containing database credentials.
- Establish reverse shells to maintain persistent access.
- Complete compromise of the server hosting the LMS.
Additionally, when combined with a prior vulnerability (Advisory 1), even a registered student user can escalate privileges to achieve full server compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves arbitrary PHP code injection into platform settings that are executed when the /platform-config/list route is accessed. Detection can focus on monitoring access to this route and inspecting platform settings for suspicious PHP code.
- Check web server logs for requests to /platform-config/list, especially from unusual or unauthorized sources.
- Query the database for the platform settings, particularly the catalog.course_catalog_settings value, to look for injected PHP code.
- Use commands to inspect the database settings, for example, using SQL queries like: SELECT * FROM platform_settings WHERE setting_key = 'catalog.course_catalog_settings';
- Look for suspicious PHP code patterns or eval() usage in the stored settings.
- Monitor for unexpected PHP execution or unusual system commands running under the www-data user.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the vulnerability is fixed by removing the unsafe eval() usage.
Until the upgrade can be applied, restrict administrative access to trusted users only, as the vulnerability requires admin privileges to inject malicious code.
Monitor and audit platform settings for any suspicious or unexpected PHP code injections.
Limit access to the /platform-config/list route if possible, or implement additional authentication or access controls.
Review and harden server permissions to minimize impact if exploitation occurs, such as restricting www-data user privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with administrative access to inject and execute arbitrary PHP code on the server, leading to full remote code execution. Such a compromise can result in unauthorized access to sensitive data, including database credentials and potentially personal or protected information.
Because the vulnerability enables attackers to read sensitive files and fully compromise the server, it poses a significant risk to data confidentiality, integrity, and availability. This risk can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could result in violations of these standards due to potential data breaches and failure to maintain adequate security controls.