Executive Summary

CVE-2026-33737 is an XML External Entity (XXE) Injection vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue arises because multiple files use the PHP function simplexml_load_string() without proper XXE protections. When the LIBXML_NOENT flag is used, it allows an attacker to exploit XML entity resolution to read arbitrary files on the server.

The vulnerability is due to improper restriction of XML external entity references (CWE-611), where XML documents containing external entities are processed in a way that can cause unintended resource access. This can lead to disclosure of sensitive server files.

The vulnerability was fixed by adding the LIBXML_NONET flag to XML parsing calls, which disables network access during XML parsing, and by improving error handling to prevent silent failures.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to read arbitrary files on the server hosting Chamilo LMS by exploiting the XML parsing process. This can lead to disclosure of sensitive information stored on the server.

The CVSS v3.1 base score is 5.3 (Moderate), indicating a moderate severity impact. The attack requires network access and low privileges but no user interaction.

• Confidentiality Impact: High (sensitive data can be exposed)
• Integrity Impact: None
• Availability Impact: None

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of the PHP function simplexml_load_string() without the LIBXML_NONET flag or proper XXE protections in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3.

You can scan your Chamilo LMS codebase for instances of simplexml_load_string() calls that do not include the LIBXML_NONET flag.

• Use grep or similar tools to search for simplexml_load_string usage: grep -rnw '/path/to/chamilo' -e 'simplexml_load_string'
• Check if the calls include the LIBXML_NONET flag. For example, look for calls without LIBXML_NONET: grep -rnw '/path/to/chamilo' -e 'simplexml_load_string(' | grep -v 'LIBXML_NONET'

Additionally, monitoring network traffic for unexpected file reads or XML payloads that include external entities could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, apply patches that add the LIBXML_NONET flag to all simplexml_load_string() calls to disable network access during XML parsing.

Ensure that XML parsing uses internal error handling by calling libxml_use_internal_errors(true) before parsing and properly handling parsing failures instead of suppressing errors.

• Add LIBXML_NONET flag to all XML parsing calls to prevent external entity resolution.
• Avoid using the LIBXML_NOENT flag which enables entity substitution that can be exploited.
• Review and harden XML parsing code as per the security updates described in the patches.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-33737 is an XML External Entity (XXE) vulnerability that allows an attacker to read arbitrary server files by exploiting improper XML parsing in Chamilo LMS. This can lead to unauthorized disclosure of sensitive information stored on the server.

Such unauthorized access to sensitive data can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access or disclosure.

By enabling attackers to read arbitrary files, this vulnerability increases the risk of data breaches, potentially exposing personal data or protected health information, thereby violating confidentiality requirements mandated by these regulations.

The vulnerability has been addressed in patched versions (1.11.38 and 2.0.0-RC.3) by disabling network access during XML parsing and improving error handling, which mitigates the risk of such data exposure and helps maintain compliance.

Useful 0 Not Useful 0