Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Chamilo LMS: Admins can access sensitive data through SQL injection
CVE-2026-33714
Summary
An attacker with admin access to a Chamilo learning management system can potentially steal sensitive data from the database by exploiting a flaw in the statistics feature. This can be prevented by updating to the latest version of Chamilo. Users are recommended to upgrade to version 2.0.0 to fix this issue.
Original title
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881....
Original description
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
nvd CVSS4.0
7.1
Vulnerability type
CWE-89
SQL Injection
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026