OS Command Injection Vulnerability in Chamilo LMS Affects Authenticated Users
CVE-2026-32892

9.1CRITICAL

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-32892?

Chamilo LMS prior to versions 1.11.38 and 2.0.0-RC.3 is vulnerable to an OS Command Injection in its file management feature. The vulnerability arises due to the use of user-controlled path inputs in the move() function of fileManage.lib.php, which are passed directly to exec() shell commands without sufficient sanitization. This allows authenticated users, including teachers, to execute arbitrary commands on the server by manipulating directory names with shell metacharacters. Exploitation requires the attacker to first place a specially crafted directory on the filesystem, which can be done via Course Backup Import. Once an exploit is successful, the attacker can gain control over the system as the web server user, potentially leading to severe security implications.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/3597b19b73d...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/62671e5e268...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.