OS Command Injection in Chamilo LMS by Chamilo Foundation
CVE-2026-35196

8.8HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
14 April 2026

What is CVE-2026-35196?

Chamilo LMS, an open-source learning management system, has a vulnerability that allows OS Command Injection through the main/inc/ajax/gradebook.ajax.php endpoint. This vulnerability arises from the improper handling of the course code from session variables, allowing an attacker to inject shell metacharacters into a command string executed by the system. This can lead to arbitrary command execution on the server, granting potential access to sensitive system files and credentials, altering the application, database, or causing server disruptions. The issue is resolved in version 2.0.0-RC.3.

Affected Version(s)

chamilo-lms < 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/62671e5e268...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0....
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.