Chamilo Files or Directories Accessible to External Parties Vulnerability - CVE-2026-33698 - Vulnerability Database

Chamilo Files or Directories Accessible to External Parties Vulnerability - CVE-2026-33698

Critical

Reference: CVE-2026-33698

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-33698

Title: Chamilo Files or Directories Accessible to External Parties Vulnerability

Overview:

Chamilo LMS is a learning management system. Prior to 1.11.38 a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.