Zero Day MonitorZDM

← Back to list

—

CVE-2026-33714

chamilo · chamilo-lms

Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)

Description

Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	>= 2.0.0-RC.2, < 2.0.0

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-33714 | Chamilo LMS up to 1.x AJAX Endpoint statistics.ajax.php Security::remove_XSS date_start/date_end sql injection (GHSA-w8c4-c7r8-qgw2)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

CWECWE-89

PublishedApr 14, 2026

Last enriched5h agov2

Trending Score30

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34370EXP

Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes

CRITICALCVE-2026-34602EXP

Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses

CRITICALCVE-2026-35196EXP

Chamilo LMS has OS Command Injection via export_all_certificates action

CRITICALCVE-2026-34160

Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services

CRITICALCVE-2026-33715

Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity

Apr 14, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated severity to CRITICAL and noted that no exploit exists for the vulnerability.

severity

via VulDB

v16h ago

Initial creation