Chamilo Improper Restriction of XML External Entity Reference Vulnerability - CVE-2026-33737 - Vulnerability Database

Chamilo Improper Restriction of XML External Entity Reference Vulnerability - CVE-2026-33737

Medium

Reference: CVE-2026-33737

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-33737

Title: Chamilo Improper Restriction of XML External Entity Reference Vulnerability

Overview:

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3 multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.