CVE-2026-33702

Published: Apr 10, 2026

Modified: Apr 13, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Vendor	Product	Versions
chamilo	chamilo-lms	affected `< 1.11.38` affected `>= 2.0.0-alpha.1, < 2.0.0-RC.3`

Weaknesses (CWE)

CWE-639

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654

x_refsource_CONFIRM

https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f

x_refsource_MISC

https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-33702

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References