How to fix EUVD-2026-22722?

Within 24 hours: Identify all Chamilo LMS instances and document current versions. Within 7 days: Upgrade all Chamilo LMS deployments to version 2.0.0-RC.3 or later; disable certificate export functionality if immediate patching is not feasible. Within 30 days: Conduct security audit of Chamilo user accounts and session logs to identify any suspicious certificate export activity; review system command execution logs for unauthorized commands.

Is PHP affected by EUVD-2026-22722?

Chamilo LMS versions prior to 2.0.0-RC.3 contain a command injection vulnerability in the gradebook certificate export feature that allows authenticated users with low-privilege accounts to execute arbitrary system commands and potentially compromise the entire LMS infrastructure.

EUVD-2026-22722

| CVE-2026-35196 HIGH

2026-04-14 [email protected]

PHP Command Injection

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:52 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:56 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

patch_available

Apr 16, 2026 - 05:29 EUVD

2.0.0-RC.3

Analysis Generated

Apr 14, 2026 - 22:42 vuln.today

DescriptionNVD

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

OS command injection in Chamilo LMS prior to 2.0.0-RC.3 allows authenticated attackers to execute arbitrary system commands via session poisoning of the course ID parameter. Attackers with low-privilege accounts can manipulate the $_SESSION['_cid'] variable to inject shell metacharacters into shell_exec() calls in the gradebook certificate export functionality, achieving full system compromise. …

RemediationAI

Within 24 hours: Identify all Chamilo LMS instances and document current versions. Within 7 days: Upgrade all Chamilo LMS deployments to version 2.0.0-RC.3 or later; disable certificate export functionality if immediate patching is not feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-22722 vulnerability details – vuln.today

Back

EUVD-2026-22722

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code