CVE-2026-33737

MEDIUM WAF: High

CVSS 6.5 Published: 2026-04-10

CWE-611

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

WAF Coverage Analysis

XML External Entity (XXE) High WAF Coverage

OWASP: A05:2021 Security Misconfiguration

941xxx - XSS / XXE

Affected Software

Vendor	Product	Version
chamilo	chamilo_lms	up to 1.11.38
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0
chamilo	chamilo_lms	2.0.0

References

github.com (Patch)
github.com (Patch)
github.com (Vendor Advisory)

Back to CVE Database