{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-33618/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33618"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["chamilo","rce","eval-injection","cve-2026-33618"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS is a widely used open-source learning management system. CVE-2026-33618 affects versions prior to 2.0.0-RC.3. The vulnerability lies within the \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method, which unsafely uses PHP\u0026rsquo;s \u003ccode\u003eeval()\u003c/code\u003e function to parse platform settings retrieved from the database. An attacker who has already gained administrative access to the Chamilo LMS platform can inject arbitrary PHP code into these settings. This injected code is then executed whenever \u003cem\u003eany\u003c/em\u003e user, including unauthenticated users, makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint. This allows for unauthenticated remote code execution, making it a critical vulnerability for organizations using affected versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains administrative access to the Chamilo LMS instance (potentially through a separate vulnerability or compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the platform configuration settings page within the Chamilo LMS admin panel.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious PHP code into a configurable setting field. This code is designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code is saved to the Chamilo LMS database.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method is called to process the platform settings from the database.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker\u0026rsquo;s injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Chamilo LMS server, enabling them to potentially compromise the entire system and connected networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33618 allows an attacker to execute arbitrary PHP code on the Chamilo LMS server. This can lead to full system compromise, data exfiltration, defacement, or denial-of-service. Given that Chamilo LMS is used by educational institutions and organizations worldwide, a successful attack could impact thousands of users and expose sensitive student or employee data. The vulnerability\u0026rsquo;s ease of exploitation, requiring only admin access and an unauthenticated request to a specific endpoint, makes it a highly attractive target for malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS instances to version 2.0.0-RC.3 or later to patch CVE-2026-33618.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint originating from unusual IP addresses or user agents using the Sigma rule \u003ccode\u003eChamilo_Suspicious_PlatformConfig_Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eChamilo_Eval_Based_Code_Execution\u003c/code\u003e to detect potential exploitation attempts based on unusual PHP processes spawned from the web server.\u003c/li\u003e\n\u003cli\u003eReview and audit all Chamilo LMS administrative accounts for suspicious activity to prevent initial access to vulnerable configuration settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-rce/","summary":"Chamilo LMS versions prior to 2.0.0-RC.3 are vulnerable to remote code execution (RCE) via eval injection, where an authenticated administrator can inject arbitrary PHP code into platform settings that is then executed when any user (including unauthenticated) requests the /platform-config/list endpoint.","title":"Chamilo LMS Unauthenticated Remote Code Execution via Configuration Injection (CVE-2026-33618)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-33618","version":"https://jsonfeed.org/version/1.1"}