Skip to main content

PHP CVE-2026-35196

| EUVDEUVD-2026-22722 HIGH
OS Command Injection (CWE-78)
2026-04-14 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 22, 2026 - 18:37 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:42 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22722
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
HIGH 8.8

DescriptionGitHub Advisory

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. CVSS 8.8 (High) with network attack vector and low complexity. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub advisory. EPSS data not available for this recent CVE.

Technical ContextAI

This vulnerability affects the Chamilo Learning Management System, a PHP-based open-source e-learning platform. The flaw resides in main/inc/ajax/gradebook.ajax.php within the export_all_certificates action handler. The code retrieves the course identifier via api_get_course_id(), which reads from the session variable $_SESSION['_cid'], and passes this value directly into a shell_exec() command without sanitization using escapeshellarg() or equivalent input validation. CWE-78 (OS Command Injection) occurs when untrusted data flows into system shell commands. In PHP, shell_exec() executes commands through the system shell, making it vulnerable to metacharacter injection (semicolons, pipes, backticks, etc.) if inputs are not properly escaped. The session-based attack vector is particularly dangerous because session data can be poisoned through various means including session fixation, deserialization flaws, or other session manipulation techniques depending on the application's session handling implementation.

RemediationAI

Upgrade immediately to Chamilo LMS version 2.0.0-RC.3 or later, available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. The fix implements proper input sanitization using escapeshellarg() to neutralize shell metacharacters before passing the course ID to shell_exec() commands, as documented in commit 62671e5e268f235cddfba704edee90f35c234df1. Until patching is completed, consider implementing application-layer controls such as restricting access to the gradebook certificate export functionality through web application firewall rules targeting main/inc/ajax/gradebook.ajax.php or temporarily disabling the export_all_certificates feature if operationally feasible. Review session management configurations to ensure session data integrity and monitor for suspicious patterns in course ID parameters within session storage. Organizations unable to immediately upgrade should prioritize network segmentation to limit potential lateral movement following compromise and implement enhanced monitoring for shell command execution anomalies.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-35196 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy