CVE-2026-30881

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.36

Description Chamilo LMS is a learning management system that has a SQL Injection issue in the statistics AJAX endpoint. The date start and date end parameters from the $ REQUEST array are directly embedded into a raw SQL string without proper sanitization. The Database::escape string() function is called, but its output is neutralized, bypassing the escaping mechanism and allowing an authenticated attacker to inject arbitrary SQL statements into the database query. This enables blind time-based and conditional data extraction. The vulnerable API endpoint is '/statistics'.

Recommendations Versions prior to 1.11.36 should be updated to version 1.11.36 or later.