8.8
CVE-2026-33618
- EPSS 0.05%
- Veröffentlicht 10.04.2026 18:10:16
- Zuletzt bearbeitet 17.04.2026 22:03:07
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Chamilo ≫ Chamilo Lms Version2.0.0 Updatealpha1
Chamilo ≫ Chamilo Lms Version2.0.0 Updatealpha2
Chamilo ≫ Chamilo Lms Version2.0.0 Updatealpha3
Chamilo ≫ Chamilo Lms Version2.0.0 Updatealpha4
Chamilo ≫ Chamilo Lms Version2.0.0 Updatealpha5
Chamilo ≫ Chamilo Lms Version2.0.0 Updatebeta1
Chamilo ≫ Chamilo Lms Version2.0.0 Updatebeta2
Chamilo ≫ Chamilo Lms Version2.0.0 Updatebeta3
Chamilo ≫ Chamilo Lms Version2.0.0 Updaterc1
Chamilo ≫ Chamilo Lms Version2.0.0 Updaterc2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.05% | 0.147 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").