Critical severity9.4NVD Advisory· Published Apr 10, 2026· Updated Apr 16, 2026
CVE-2026-33707
CVE-2026-33707
Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*range: <1.11.38
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.