CVE-2026-33618
Published: 10 April 2026
Summary
CVE-2026-33618 is a high-severity Eval Injection (CWE-95) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to version 2.0.0-RC.3 directly eliminates the unsafe eval() usage on database platform settings.
Information input validation of platform settings retrieved from the database before eval() execution prevents arbitrary PHP code injection.
Least privilege enforcement restricts administrative access needed to modify platform settings with malicious PHP code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Eval injection in public-facing Chamilo LMS web app directly enables remote code execution via exploitation of public-facing application.
NVD Description
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings,…
more
which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-33618 is an eval injection vulnerability in Chamilo LMS, an open-source learning management system. In versions prior to 2.0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() function to parse platform settings retrieved from the database. This allows arbitrary PHP code injection into the settings, classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution.
An attacker requires administrative access to Chamilo LMS, which may be obtainable through a separate vulnerability referenced as Advisory 1. With admin privileges, the attacker can modify platform settings in the database to include malicious PHP code. This code executes whenever any user, including unauthenticated visitors, requests the /platform-config/list endpoint, enabling arbitrary code execution on the server with the privileges of the web server process.
The vulnerability is addressed in Chamilo LMS 2.0.0-RC.3, where the eval() usage is fixed, as detailed in the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w and the patching commit at https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b. Security practitioners should upgrade to the fixed version and review access controls for admin roles.
Details
- CWE(s)