SB2026031625 - Multiple vulnerabilities in Chamilo LMS



SB2026031625 - Multiple vulnerabilities in Chamilo LMS

Published: March 16, 2026 Updated: April 24, 2026

Security Bulletin ID SB2026031625
CSH Severity
High
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 17% Medium 25% Low 58%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 vulnerabilities.


1) SQL injection (CVE-ID: CVE-2026-28430)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the custom_dates parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.


2) Arbitrary file upload (CVE-ID: CVE-2026-29041)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper validation of uploaded files in the main/inc/ajax/document.ajax.php endpoint when handling the ck_uploadimage action. A remote user can upload a crafted file containing executable code and access it via the browser to execute arbitrary code.

Only deployments with the $_configuration['enable_uploadimage_editor'] configuration option enabled are vulnerable.


3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-59540)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of an admin user.

The vulnerability exists due to cross-site scripting in public/main/exercise/exercise_history.php when rendering feedback input on the exercise history page. A remote user can inject a malicious script into the feedback field to execute arbitrary JavaScript in the browser of an admin user.

User interaction is required when an admin views the exercise history, and the payload persists in the database until removed.


4) Cross-site request forgery (CVE-ID: CVE-2025-59541)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service and modify data.

The vulnerability exists due to cross-site request forgery in the project module when handling project deletion requests. A remote attacker can trick the victim into visiting a malicious page to cause a denial of service and modify data.

User interaction is required, and the action is performed using the victim's existing session cookies.


5) Cross-site scripting (CVE-ID: CVE-2025-59542)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's browser and take over accounts.

The vulnerability exists due to stored cross-site scripting in the course learning path Settings field when rendering the course information page. A remote user can inject malicious JavaScript into the field to execute arbitrary JavaScript code in another user's browser and take over accounts.

User interaction is required when another user views the course information page.


6) Cross-site scripting (CVE-ID: CVE-2025-59543)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to take over accounts.

The vulnerability exists due to cross-site scripting in the course description field when rendering course information pages. A remote user can inject malicious JavaScript into the course description field to take over accounts.

User interaction is required to view the course information page.


7) Cross-site scripting (CVE-ID: CVE-2025-55289)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser and compromise accounts.

The vulnerability exists due to cross-site scripting in the skill management argumentation parameter when processing user-supplied input. A remote user can submit a specially crafted argumentation value to execute arbitrary JavaScript in a victim's browser and compromise accounts.

The payload executes when viewed by an authenticated user, including administrators, within the LMS context.


8) Cross-site scripting (CVE-ID: CVE-2025-55208)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser and compromise the victim's account.

The vulnerability exists due to cross-site scripting in the social networks uploaded files feature when processing uploaded file content that is later viewed in the platform. A remote user can upload a specially crafted file to execute arbitrary script in a victim's browser and compromise the victim's account.

User interaction is required when an authenticated user views the malicious content, including through internal messaging features.


9) Missing Authorization (CVE-ID: CVE-2025-59544)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify the category of any user.

The vulnerability exists due to missing authorization in the category update functionality when handling requests with a modified "category_id" parameter. A remote user can send a crafted request with a replaced "category_id" parameter to modify the category of any user.

The "category_id" parameter is numeric and incremental, which may facilitate brute-force attempts against the endpoint.


10) OS Command Injection (CVE-ID: CVE-2026-32892)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary os commands.

The vulnerability exists due to improper neutralization of special elements used in an os command in main/inc/lib/fileManage.lib.php function move() when handling document move requests via document.php. A remote privileged user can send a specially crafted move_to parameter to execute arbitrary os commands.

Exploitation requires the ability to move documents in a course, and the attacker must first place a directory with shell metacharacters in its name on the filesystem, such as through course backup import.


11) OS Command Injection (CVE-ID: CVE-2026-35196)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary commands on the underlying server.

The vulnerability exists due to improper neutralization of special elements used in an os command in main/inc/ajax/gradebook.ajax.php export_all_certificates action when processing session-derived course code data in a shell_exec command. A remote user can manipulate poisoned session data to inject shell metacharacters and execute arbitrary commands on the underlying server.

Exploitation requires a poisoned session in which the $_SESSION['_cid'] value can be manipulated.


12) SQL injection (CVE-ID: CVE-2026-33714)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information and modify data in the database.

The vulnerability exists due to sql injection in public/main/inc/ajax/statistics.ajax.php users_active action when processing date_start and date_end request parameters. A remote privileged user can send specially crafted date parameters to disclose sensitive information and modify data in the database.

The issue is reachable through a different code path in the same file as the earlier related issue and was confirmed as an incomplete fix scenario.


Remediation

Install update from vendor's website.