CVE-2026-33618 | Chamilo LMS up to 2.0.0-RC.2 /platform-config/list decodeSettingArray eval injection

A vulnerability described as critical has been identified in Chamilo LMS up to 2.0.0-RC.2. This affects the function PlatformConfigurationController::decodeSettingArray of the file /platform-config/list. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The identification of this vulnerability is CVE-2026-33618. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.