CVE-2026-33708

EUVD-2026-21563
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
chamilochamilo_lms
𝑥
< 1.11.38
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999