CVE-2025-50197

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.30

Description The Chamilo learning management system has an OS Command Injection issue. This occurs due to a failure to neutralize special elements used in the operating system command. Successful exploitation allows a remote attacker to execute arbitrary SQL queries. The issue is located in the /main/admin/sub language ajax.inc.php file and involves the new language parameter submitted via a POST request.

Recommendations Update to version 1.11.30 or later.