CVE-2026-33698

Critical

Published: 10 April 2026

Published

10 April 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33698 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of software flaws, directly addressing the PHP code execution vulnerability fixed in Chamilo LMS 1.11.38.

AC-22 Publicly Accessible Content good match

prevent

Controls and monitors access to publicly accessible content such as the main/install/ directory, preventing the read access prerequisite for the unauthenticated chained attack.

CM-7 Least Functionality good match

prevent

Limits system to essential capabilities by removing or restricting unnecessary components like the post-install main/install/ directory, eliminating the exposure vector.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1100 Web Shell Persistence

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing Chamilo LMS web app allows unauthenticated remote PHP code execution and file creation/modification in accessible directory, directly enabling T1190 for initial access and T1100 for web shell deployment/persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions.…

This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.

Deeper analysisAI

CVE-2026-33698 is a critical vulnerability in Chamilo LMS, an open-source learning management system, affecting versions prior to 1.11.38. It stems from a chained attack that enables the execution of otherwise-blocked PHP code within the main/install/ directory, which should be secured after initial setup. This flaw, tied to CWE-552 (Files or Directories Accessible to External Parties), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and only impacts portals where the main/install/ directory remains present and readable.

An unauthenticated attacker with network access can exploit this vulnerability by leveraging the chained attack vector. Upon success, they can modify existing files or create new ones, constrained solely by the target's system permissions, potentially leading to full compromise through arbitrary code execution or persistence mechanisms.

Mitigation requires upgrading to Chamilo LMS 1.11.38 or later, which addresses the issue. Details on the fix are documented in the project's GitHub security advisory (GHSA-557g-2w66-gpmf) and the patching commit (d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51).

Details

CWE(s): CWE-552

Affected Products

chamilo

chamilo lms

≤ 1.11.38

CVEs Like This One

CVE-2025-50188Same product: Chamilo Chamilo Lms

CVE-2025-50187Same product: Chamilo Chamilo Lms

CVE-2024-47886Same product: Chamilo Chamilo Lms

CVE-2025-52469Same product: Chamilo Chamilo Lms

CVE-2025-50190Same product: Chamilo Chamilo Lms

CVE-2025-52998Same product: Chamilo Chamilo Lms

CVE-2026-33618Same product: Chamilo Chamilo Lms

CVE-2025-50192Same product: Chamilo Chamilo Lms

CVE-2026-33710Same product: Chamilo Chamilo Lms

CVE-2026-35196Same product: Chamilo Chamilo Lms

References

https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51
Patch · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf
Vendor Advisory · security-advisories@github.com