Description
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
Published: 2026-04-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an authenticated SQL injection in the Chamilo LMS statistics AJAX endpoint. An administrator can supply unsanitized date_start and date_end parameters in the users_active action, where they are directly interpolated into a SQL query. This allows a time‑based blind injection that enables the extraction of arbitrary data from the database, exposing confidential information and violating data confidentiality. The weakness is a classic SQL injection (CWE‑89) and is evidenced by the missing input sanitization.

Affected Systems

Chamilo LMS version 2.0.0‑RC2 is affected. The flaw resides in public/main/inc/ajax/statistics.ajax.php. All installations running this release run the risk of exploitation.

Risk and Exploitability

The vulnerability carries a high severity measured by a CVSS score of 7.1. Exploitability is constrained to authenticated administrators; an attacker must first compromise an admin account or benefit from a privileged role. Time‑based blind attacks can be performed with minimal user interaction, but they can be detectable due to the delay introduced. The EPSS score is not available, and the flaw is currently not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that there are no widespread public exploitation reports yet. Nevertheless, an organization that experiences admin credential compromise can exploit the flaw to exfiltrate data.

Generated by OpenCVE AI on April 14, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chamilo LMS version 2.0.0 or later, where the users_active action sanitization has been added
  • If upgrading is not immediately possible, limit the exposure of administrative functions by enforcing strong authentication, such as multi‑factor authentication, and restricting network access to the admin interfaces
  • As a temporary patch, modify the statistics.ajax.php file to use prepared statements or otherwise strictly validate and escape the date_start and date_end parameters in the users_active action to prevent injection

Generated by OpenCVE AI on April 14, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
Title Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T20:03:16.195Z

Reserved: 2026-03-23T17:06:05.747Z

Link: CVE-2026-33714

cve-icon Vulnrichment

Updated: 2026-04-15T18:59:32.355Z

cve-icon NVD

Status : Received

Published: 2026-04-14T21:16:25.893

Modified: 2026-04-14T21:16:25.893

Link: CVE-2026-33714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses