CVE-2026-33705
Received Received - Intake
Unauthorized Template File Access in Chamilo LMS Exposes Sensitive Data

Publication date: 2026-04-10

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33705
EUVD
EUVD-2026-21557
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.38 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-538 The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33705 is an information disclosure vulnerability in Chamilo LMS versions up to 1.11.36. The issue occurs because 235 Twig template files (.tpl) located under /main/template/default/ are accessible via unauthenticated HTTP GET requests due to insufficient Apache configuration restrictions.

These template files expose sensitive internal application details such as the admin panel structure, AJAX endpoint URLs, conditional logic and permission checks, internal variable names, and email templates. This exposure allows attackers to understand the internal workings of the application, map its structure, identify AJAX endpoints for targeted attacks, analyze permission checks to attempt authorization bypasses, and study email templates to facilitate phishing attacks.

The vulnerability is fixed in Chamilo LMS version 1.11.38 by restricting direct HTTP access to these .tpl files.

Impact Analysis

This vulnerability can impact you by exposing sensitive internal details of the Chamilo LMS application without requiring authentication. Attackers can gain insight into the admin panel structure, AJAX endpoints, and permission logic.

  • Mapping internal application structure to plan further attacks.
  • Identifying AJAX endpoints to target with malicious requests.
  • Understanding permission checks to attempt authorization bypasses.
  • Analyzing variable usage for parameter tampering.
  • Studying email templates to craft phishing attacks.

Overall, this leads to a moderate confidentiality impact, potentially aiding attackers in planning more sophisticated attacks against the system.

Detection Guidance

This vulnerability can be detected by attempting to access the Twig template files (.tpl) located under the /main/template/default/ directory via HTTP GET requests without authentication.

If these files are accessible and return content, it indicates the vulnerability is present.

  • Use curl or wget to request a known .tpl file, for example: curl -i http://your-chamilo-domain/main/template/default/admin/settings_index.tpl
  • Check the HTTP response code and content for exposure of internal application details such as Twig syntax, variable names, or admin panel structure.
  • Alternatively, use a web vulnerability scanner to detect publicly accessible .tpl files under the /main/template/default/ path.
Mitigation Strategies

To mitigate this vulnerability immediately, restrict direct HTTP access to .tpl files in the /main/template/ directory.

For Apache servers, add or ensure the presence of a .htaccess file in the /main/template/ directory with the following directive to deny access:

  • <FilesMatch "\.tpl$"> Require all denied </FilesMatch>

If .htaccess overrides are not supported, add this configuration to your Apache VirtualHost definition (replace /var/www/URL with your Chamilo root path):

  • <Directory /var/www/URL/main/template> <FilesMatch "\.tpl$"> Require all denied </FilesMatch> </Directory>

For Nginx servers, add a location block near the top of your server configuration to deny access to .tpl files and return a 403 Forbidden response:

  • location ~* \.tpl$ { deny all; return 403; }

Additionally, upgrade Chamilo LMS to version 1.11.38 or later where this vulnerability is fixed.

Compliance Impact

This vulnerability exposes internal application logic, variable names, AJAX endpoint URLs, and admin panel structure to unauthenticated users by allowing direct HTTP access to Twig template files. Such information disclosure can increase the risk of targeted attacks and unauthorized access attempts.

While the vulnerability itself does not directly disclose personal data or protected health information, the exposure of internal application details could facilitate attacks that might lead to breaches of sensitive data, potentially impacting compliance with standards like GDPR or HIPAA.

Therefore, this vulnerability indirectly affects compliance by increasing the risk of unauthorized access or data breaches, which are critical concerns under regulations such as GDPR and HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33705. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart