CVE-2026-33707 | THREATINT

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

PUBLISHED Reserved 2026-03-23 | Published 2026-04-10 | Updated 2026-04-13 | Assigner GitHub_M

CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

CWE-640: Weak Password Recovery Mechanism for Forgotten Password

Product status

< 1.11.38

affected

>= 2.0.0-alpha.1, < 2.0.0-RC.3

affected

References

github.com/...lo-lms/security/advisories/GHSA-f27g-66gq-g7v2

github.com/...ommit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8

github.com/...ommit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c

cve.org (CVE-2026-33707)

nvd.nist.gov (CVE-2026-33707)

Download JSON