CVE-2026-28430
Published: 16 March 2026
Summary
CVE-2026-28430 is a critical-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents the unauthenticated SQL injection via the custom_dates parameter by requiring validation of all information inputs to block arbitrary SQL command execution.
Mandates identification, reporting, and correction of flaws like the SQL injection vulnerability patched in Chamilo LMS version 1.11.34.
Requires vulnerability scanning to identify SQL injection flaws such as CVE-2026-28430 in the application prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in a public-facing web application (Chamilo LMS) directly enables T1190 (Exploit Public-Facing Application). Arbitrary SQL execution facilitates dumping database contents, mapping to T1213.006 (Data from Information Repositories: Databases).
NVD Description
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset…
more
mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34.
Deeper analysisAI
CVE-2026-28430 is an unauthenticated SQL injection vulnerability (CWE-89) affecting Chamilo LMS, an open-source learning management system, in versions prior to 1.11.34. The flaw resides in the handling of the custom_dates parameter, enabling remote attackers to execute arbitrary SQL commands against the backend database. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its high confidentiality, integrity, and availability impacts.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. Successful exploitation allows arbitrary SQL execution, potentially dumping the entire database—including personally identifiable information (PII) and system configurations. By chaining the SQL injection with a predictable legacy password reset mechanism, attackers can achieve full administrative account takeover without any prior credentials, granting complete control over the LMS instance.
The vulnerability has been addressed in Chamilo LMS version 1.11.34, as detailed in the project's GitHub release notes (https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34) and security advisory (https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-84gw-qjw9-v8jv). Security practitioners should prioritize upgrading to the patched version and review database access logs for signs of exploitation.
Details
- CWE(s)