Cyber Resilience

CVE-2026-33698

Critical

Published: 10 April 2026

Published
10 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33698 is a critical-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-33698 is a critical vulnerability in Chamilo LMS, an open-source learning management system, affecting versions prior to 1.11.38. It stems from a chained attack that enables the execution of otherwise-blocked PHP code within the main/install/ directory, which should be secured after initial setup. This flaw, tied to CWE-552 (Files or Directories Accessible to External Parties), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and only impacts portals where the main/install/ directory remains present and readable.

An unauthenticated attacker with network access can exploit this vulnerability by leveraging the chained attack vector. Upon success, they can modify existing files or create new ones, constrained solely by the target's system permissions, potentially leading to full compromise through arbitrary code execution or persistence mechanisms.

Mitigation requires upgrading to Chamilo LMS 1.11.38 or later, which addresses the issue. Details on the fix are documented in the project's GitHub security advisory (GHSA-557g-2w66-gpmf) and the patching commit (d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions.…

more

This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in public-facing Chamilo LMS web app allows unauthenticated remote PHP code execution and file creation/modification in accessible directory, directly enabling T1190 for initial access and T1100 for web shell deployment/persistence.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30875Same product: Chamilo Chamilo Lms
CVE-2026-33704Same product: Chamilo Chamilo Lms
CVE-2026-29041Same product: Chamilo Chamilo Lms
CVE-2026-32931Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2026-33618Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2024-47886Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
≤ 1.11.38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws, directly addressing the PHP code execution vulnerability fixed in Chamilo LMS 1.11.38.

prevent

Controls and monitors access to publicly accessible content such as the main/install/ directory, preventing the read access prerequisite for the unauthenticated chained attack.

prevent

Limits system to essential capabilities by removing or restricting unnecessary components like the post-install main/install/ directory, eliminating the exposure vector.

References