Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionGitHub Advisory
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
AnalysisAI
SQL injection in Chamilo LMS 2.0.0-RC.2 allows authenticated administrators to extract arbitrary database contents via unsanitized date parameters in the statistics AJAX endpoint's users_active action. This represents an incomplete fix for CVE-2026-30881, where only one of two vulnerable parameter sets was sanitized. Time-based blind SQL injection techniques enable data exfiltration despite requiring admin-level authentication. EPSS data not available; no public exploit identified at time of analysis, though the incomplete remediation pattern and technical details in the GitHub advisory lower exploitation barriers for attackers with admin access.
Technical ContextAI
Chamilo LMS is a PHP-based open-source learning management system. This vulnerability stems from CWE-89 (SQL Injection) in the statistics AJAX endpoint (public/main/inc/ajax/statistics.ajax.php). When CVE-2026-30881 was patched, developers applied the Security::remove_XSS() sanitization function to date_start and date_end parameters in the get_user_registration_by_month action, but failed to apply the same fix to identical parameters in the users_active action within the same file. These parameters are directly interpolated into SQL queries without parameterization or escaping, creating a classic first-order SQL injection point. The CVSS vector (AV:N/AC:L/PR:L) indicates network-accessible exploitation with low complexity, though requiring authenticated low-privilege access (admin role in this case). The vulnerability enables time-based blind SQL injection, a technique where attackers infer database contents by measuring server response times to conditional queries, allowing byte-by-byte data extraction even without direct error messages or query results.
RemediationAI
Upgrade immediately to Chamilo LMS version 2.0.0, which contains the complete fix addressing both the original CVE-2026-30881 and this incomplete-fix bypass (release details at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0). The patch applies proper input sanitization to date_start and date_end parameters in the users_active action, matching the protections already implemented for get_user_registration_by_month. If immediate upgrade is not feasible, implement temporary compensating controls: restrict admin account access through IP allowlisting, enforce multi-factor authentication for all administrative users, monitor SQL query logs for anomalous timing patterns or unexpected date parameter values in statistics.ajax.php requests, and consider disabling the statistics AJAX endpoint entirely if not operationally required. No effective workaround exists beyond access restriction, as the vulnerability is in core application logic. Review all admin accounts for compromise indicators prior to patching, as attackers with prior admin access could have already exploited this during the window between CVE-2026-30881's fix and this complete remediation.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22708