Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionGitHub Advisory
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.
AnalysisAI
OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. CVSS 8.8 (High) with network attack vector and low complexity. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub advisory. EPSS data not available for this recent CVE.
Technical ContextAI
This vulnerability affects the Chamilo Learning Management System, a PHP-based open-source e-learning platform. The flaw resides in main/inc/ajax/gradebook.ajax.php within the export_all_certificates action handler. The code retrieves the course identifier via api_get_course_id(), which reads from the session variable $_SESSION['_cid'], and passes this value directly into a shell_exec() command without sanitization using escapeshellarg() or equivalent input validation. CWE-78 (OS Command Injection) occurs when untrusted data flows into system shell commands. In PHP, shell_exec() executes commands through the system shell, making it vulnerable to metacharacter injection (semicolons, pipes, backticks, etc.) if inputs are not properly escaped. The session-based attack vector is particularly dangerous because session data can be poisoned through various means including session fixation, deserialization flaws, or other session manipulation techniques depending on the application's session handling implementation.
RemediationAI
Upgrade immediately to Chamilo LMS version 2.0.0-RC.3 or later, available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. The fix implements proper input sanitization using escapeshellarg() to neutralize shell metacharacters before passing the course ID to shell_exec() commands, as documented in commit 62671e5e268f235cddfba704edee90f35c234df1. Until patching is completed, consider implementing application-layer controls such as restricting access to the gradebook certificate export functionality through web application firewall rules targeting main/inc/ajax/gradebook.ajax.php or temporarily disabling the export_all_certificates feature if operationally feasible. Review session management configurations to ensure session data integrity and monitor for suspicious patterns in course ID parameters within session storage. Organizations unable to immediately upgrade should prioritize network segmentation to limit potential lateral movement following compromise and implement enhanced monitoring for shell command execution anomalies.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22722