Cyber Resilience

CVE-2026-33618

HighRCE

Published: 10 April 2026

Published
10 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33618 is a high-severity Eval Injection (CWE-95) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33618 is an eval injection vulnerability in Chamilo LMS, an open-source learning management system. In versions prior to 2.0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() function to parse platform settings retrieved from the database. This allows arbitrary PHP code injection into the settings, classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code). The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote code execution.

An attacker requires administrative access to Chamilo LMS, which may be obtainable through a separate vulnerability referenced as Advisory 1. With admin privileges, the attacker can modify platform settings in the database to include malicious PHP code. This code executes whenever any user, including unauthenticated visitors, requests the /platform-config/list endpoint, enabling arbitrary code execution on the server with the privileges of the web server process.

The vulnerability is addressed in Chamilo LMS 2.0.0-RC.3, where the eval() usage is fixed, as detailed in the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w and the patching commit at https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b. Security practitioners should upgrade to the fixed version and review access controls for admin roles.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings,…

more

which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Eval injection in public-facing Chamilo LMS web app directly enables remote code execution via exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50187Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2024-47886Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2026-33710Same product: Chamilo Chamilo Lms
CVE-2025-50190Same product: Chamilo Chamilo Lms
CVE-2026-30875Same product: Chamilo Chamilo Lms
CVE-2025-50197Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to version 2.0.0-RC.3 directly eliminates the unsafe eval() usage on database platform settings.

prevent

Information input validation of platform settings retrieved from the database before eval() execution prevents arbitrary PHP code injection.

prevent

Least privilege enforcement restricts administrative access needed to modify platform settings with malicious PHP code.

References