Description
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34.
Published: 2026-03-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS suffers from an unauthenticated SQL injection through the custom_dates parameter in chamiko-lms model.ajax.php. The flaw allows attackers to execute arbitrary SQL statements against the server database, enabling them to read, modify, and delete data. By chaining this injection with a legacy password reset feature that uses predictable tokens, an attacker can gain full administrative control of the application, compromising all PII and configuration stored in the database. The weakness is documented as CWE-89.

Affected Systems

The vulnerability affects all installations of Chamilo Learning Management System running versions prior to 1.11.34. The product is identified by the CPE cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*. All vendor releases before 1.11.34 are impacted.

Risk and Exploitability

The CVSS score 9.3 indicates critical severity, and the EPSS score of less than 1% suggests moderate likelihood of exploitation at present. Despite the low EPSS, the lack of authentication required for exploitation and the potential for complete administrative takeover make this a high risk vulnerability. The issue is not currently listed in the CISA KEV catalog. An attacker can reach the vulnerable endpoint remotely via the web interface, send a malicious custom_dates payload, and immediately gain database access and control.

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chamilo LMS to version 1.11.34 or later to fix the unauthenticated SQL injection vulnerability.

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34.
Title Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T13:38:36.572Z

Reserved: 2026-02-27T15:54:05.137Z

Link: CVE-2026-28430

cve-icon Vulnrichment

Updated: 2026-03-17T13:38:33.575Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:17.957

Modified: 2026-03-17T18:53:49.153

Link: CVE-2026-28430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:54Z

Weaknesses