CVE-2026-33707— Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms

CVSS 9.4 · Critical EPSS 0.11% · P29 Updated Apr 18, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-33707

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms

Source: NVD (National Vulnerability Database)

Vulnerability Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Source: NVD (National Vulnerability Database)

Vulnerability Type

忘记口令恢复机制弱

Source: NVD (National Vulnerability Database)

Vulnerability Title

Chamilo LMS 授权问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Chamilo LMS是Chamilo开源的一套开源的在线学习和协作系统。该系统支持创建教学内容、远程培训和在线答题等。 Chamilo LMS 1.11.38之前版本和2.0.0-RC.3之前版本存在授权问题漏洞，该漏洞源于默认密码重置机制使用sha1($email)生成令牌且无随机组件、无过期和无速率限制，可能导致知道用户电子邮件的攻击者计算重置令牌并更改受害者密码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
chamilo	chamilo-lms	< 1.11.38	-

II. Public POCs for CVE-2026-33707

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-33707

请登录查看更多情报信息。

Same Patch Batch · chamilo · 2026-04-10 · 23 CVEs total

CVE-2026-32892	9.1 CRITICAL	OS Command Injection in Chamilo LMS 1.11.36
CVE-2026-33618	8.8 HIGH	Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings
CVE-2026-31939	8.3 HIGH	Path Traversal (Arbitrary File Delete) in Chamilo LMS
CVE-2026-31941	7.7 HIGH	Server-Side Request Forgery (SSRF) in Chamilo LMS
CVE-2026-33710	7.5 HIGH	Chamilo LMS has Weak REST API Key Generation (Predictable)
CVE-2026-31940	7.5 HIGH	Session Fixation in Chamilo LMS
CVE-2026-32931	7.5 HIGH	Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Le
CVE-2026-32894	7.1 HIGH	Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade R
CVE-2026-33706	7.1 HIGH	Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)
CVE-2026-33702	7.1 HIGH	Chamilo LMS has an Insecure Direct Object Reference (IDOR)
CVE-2026-33704	7.1 HIGH	Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint
CVE-2026-32930	7.1 HIGH	Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership
CVE-2026-33708	6.5 MEDIUM	Chamilo LMS has REST API PII Exposure via get_user_info_from_username
CVE-2026-33736	6.5 MEDIUM	Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure
CVE-2026-33141	6.5 MEDIUM	Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data
CVE-2026-32893	5.4 MEDIUM	Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List
CVE-2026-33705	5.3 MEDIUM	Chamilo LMS has unauthenticated access to Twig template source files exposes application l
CVE-2026-33737	5.3 MEDIUM	Chamilo LMS has an XML External Entity (XXE) Injection
CVE-2026-32932	4.7 MEDIUM	Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit
CVE-2025-66447		Chamilo LMS has validation-less redirect on login page

Showing top 20 of 23 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: chamilo-lms

Same vendor: chamilo

Same weakness: CWE-640

V. Comments for CVE-2026-33707

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-33707— Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms

I. Basic Information for CVE-2026-33707

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2026-33707

III. Intelligence Information for CVE-2026-33707

Same Patch Batch · chamilo · 2026-04-10 · 23 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-33707

Leave a comment