CVE-2026-33714
HIGHChamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)
Title source: cnaDescription
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2
X_Refsource_Misc x_refsource_misc
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0
Scores
CVSS v3
7.2
EPSS
0.0026
EPSS Percentile
16.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
chamilo/chamilo-lms
>= 2.0.0-RC.2, < 2.0.0
chamilo/chamilo_lms
2.0.0 rc2
Published
Apr 14, 2026
Tracked Since
Apr 15, 2026