Zero Day MonitorZDM

← Back to list

8.8

CVE-2026-35196EXPLOITEDPATCHED

chamilo · chamilo lms

Chamilo LMS has OS Command Injection via export_all_certificates action

Description

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.

Affected Products

Vendor	Product	Versions
chamilo	chamilo lms	< 2.0.0-RC.3, < 2.0.0-RC.2

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-crc6-r6c7-44q3(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-35196 | Chamilo LMS up to 2.0.0-RC.2 gradebook.ajax.php api_get_course_id _cid os command injection

→ No new info (linked only)

CVSS 3.18.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.0.0-RC.3

CWECWE-78

PublishedApr 14, 2026

Last enriched3h agov2

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34370EXP

Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes

CRITICALCVE-2026-34602EXP

Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses

CRITICALCVE-2026-33714

Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)

CRITICALCVE-2026-34160

Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services

CRITICALCVE-2026-33715

Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Actively Exploited

Apr 14, 2026

Patch Available

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, activelyExploited, patchAvailable, affectedVersions

Apr 14, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated severity to CRITICAL, noted that no exploit is available, and specified affected versions up to 2.0.0-RC.2.

severityactivelyExploitedpatchAvailableaffectedVersions

via VulDB

v13h ago

Initial creation