CVE-2026-32892

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3

Description Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without proper sanitization. Specifically, the move to POST parameter, after only HTML filtering with Security::remove XSS(), is concatenated into shell commands like exec("mv $source $target"). An authenticated user who is a teacher in a course can move documents, potentially leading to arbitrary command execution as the web server user (www-data). An attacker can achieve this by first placing a directory with shell metacharacters in its name on the filesystem and then moving a document into that directory.

Recommendations Update to Chamilo LMS version 1.11.38 or 2.0.0-RC.3 or later.