Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Chamilo Learning Management System uses a file move function that directly places user‑controlled path values into system shell commands without proper sanitization. This allows authenticated users, specifically teachers who can freely move documents, to inject arbitrary commands. The vulnerability becomes active when a user creates a directory containing shell metacharacters—possible through the Course Backup Import feature—and then moves a document into that directory, causing the web server’s user process to execute unintended commands. The outcome is full control of the web server running the LMS, compromising confidentiality, integrity, and availability of the system and any data stored therein.

Affected Systems

Chamilo LMS, provided by chamilo:chamilo-lms, affects versions prior to 1.11.38 and prior to 2.0.0‑RC.3. Users employing 1.11.36 or earlier are vulnerable; the fix is included in the releases 1.11.38 and 2.0.0‑RC.3. The vulnerability is tied to the move() function in fileManage.lib.php used by document.php.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity. Exploitation requires only an authenticated teacher account and the ability to import a backup or otherwise create a directory name with shell metacharacters; no special conditions beyond those are stated. EPSS data is not available, but the absence from CISA’s KEV catalog does not negate the risk. The attack vector is local to the application but results in remote system compromise. Due to the straightforward exploitation path and elevated privileges required, the likelihood of an attacker successfully leveraging this flaw in an operational environment is considerable.

Generated by OpenCVE AI on April 10, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Chamilo LMS patch to release 1.11.38 or newer; 2.0.0‑RC.3 and later also include the fix.
  • If upgrading immediately is not possible, disable or remove the Course Backup Import capability to prevent creation of directories with shell metacharacters.
  • Restrict the ability for teachers to move documents or disable the move function entirely until a patch can be applied.
  • Set the configuration option allow_users_to_create_courses to false so that only administrators can create courses, limiting the scope of the vulnerability.

Generated by OpenCVE AI on April 10, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title OS Command Injection in Chamilo LMS 1.11.36
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:07:14.704Z

Reserved: 2026-03-16T21:03:44.422Z

Link: CVE-2026-32892

cve-icon Vulnrichment

Updated: 2026-04-14T14:07:10.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:41.797

Modified: 2026-04-17T21:30:50.533

Link: CVE-2026-32892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:53Z

Weaknesses