CVE-2026-28430

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.34

Description Chamilo LMS is a learning management system. Prior to version 1.11.34, an unauthenticated SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands through the custom dates parameter. This can be chained with a predictable legacy password reset mechanism, enabling full administrative account takeover without prior credentials. The vulnerability also exposes the entire database, including Personally Identifiable Information (PII) and system configurations.

Recommendations Versions prior to 1.11.34 should be updated to version 1.11.34 or later.