6.5

CVE-2026-33737

Chamilo LMS has an XML External Entity (XXE) Injection

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ChamiloChamilo Lms Version < 1.11.38
ChamiloChamilo Lms Version2.0.0 Updatealpha1
ChamiloChamilo Lms Version2.0.0 Updatealpha2
ChamiloChamilo Lms Version2.0.0 Updatealpha3
ChamiloChamilo Lms Version2.0.0 Updatealpha4
ChamiloChamilo Lms Version2.0.0 Updatealpha5
ChamiloChamilo Lms Version2.0.0 Updatebeta1
ChamiloChamilo Lms Version2.0.0 Updatebeta2
ChamiloChamilo Lms Version2.0.0 Updatebeta3
ChamiloChamilo Lms Version2.0.0 Updaterc1
ChamiloChamilo Lms Version2.0.0 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.22% 0.122
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com 5.3 1.6 3.6
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e
Patch
https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3
Patch
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j
Vendor Advisory