{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33737", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-04-10T19:05:08.873Z", "dateUpdated": "2026-04-13T16:02:10.691Z"}, "containers": {"cna": {"title": "Chamilo LMS has an XML External Entity (XXE) Injection", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:05:08.873Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "source": {"advisory": "GHSA-c4ww-qgf2-v89j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:01:59.171472Z", "id": "CVE-2026-33737", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:02:10.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33737", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:01:59.171472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:02:05.594Z"}}], "cna": {"title": "Chamilo LMS has an XML External Entity (XXE) Injection", "source": {"advisory": "GHSA-c4ww-qgf2-v89j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e", "name": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3", "name": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:05:08.873Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33737", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:02:10.691Z", "dateReserved": "2026-03-23T17:34:57.561Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:05:08.873Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607", "vulnerable": true}, {"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "id": "CVE-2026-33737", "lastModified": "2026-04-16T18:22:09.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T19:16:24.560", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-alpha.1,2.0.0-RC.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T20:35:45.297237+00:00", "value": {"mitigation_remediation": ["Update Chamilo LMS to version 1.11.38 or later, or 2.0.0\u2011RC.3 or later"], "summary": {"action": "Patch", "impact": "Read Server Files via XML External Entity injection"}, "threat_synthesis": {"affected_systems": "Chamilo Learning Management System \u2013 versions earlier than 1.11.38 and 2.0.0\u2011RC.3 are affected. Any installation that processes XML with simplexml_load_string is vulnerable, regardless of the deployment environment.", "description_and_impact": "SimpleXML is used to parse XML without protection, allowing a crafted XML document to request any file on the server through the LIBXML_NOENT flag. This flaw can expose sensitive configuration files, source code, or other private data and is classified as CWE\u2011611, XML External Entity Injection.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a moderate severity, primarily due to the potential for information disclosure. Exploitation requires sending a malicious XML payload to the LMS; the attack vector is inferred to be remote via network if the LMS exposes any XML processing endpoints. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation but still requiring prompt remediation."}}}}, "created": "2026-04-13T12:42:51.278977+00:00", "updated": "2026-04-13T12:59:37.168810+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}