EUVD-2026-12500CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes - effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36.
Analysis
Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Chamilo LMS instances and their versions; disable or restrict access to the statistics AJAX endpoint if possible. Within 7 days: Implement WAF rules to block malicious SQL patterns in date_start and date_end parameters; restrict statistics feature access to administrative users only; increase monitoring and logging of database queries. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today