CVE-2026-30881
Published: 16 March 2026
Summary
CVE-2026-30881 is a high-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of unsanitized inputs like date_start and date_end parameters to prevent SQL injection in the statistics AJAX endpoint.
Mandates timely flaw remediation, such as patching Chamilo LMS to version 1.11.36, to eliminate the SQL injection vulnerability.
Enforces restrictions on input types and patterns for date_start and date_end to block malicious SQL payloads from being processed.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in internet-facing LMS statistics endpoint directly enables remote exploitation of the application (T1190) for arbitrary database queries, supporting data collection from repositories (T1213.006) and stored data manipulation (T1565.001).
NVD Description
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although…
more
Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes — effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36.
Deeper analysisAI
Chamilo LMS, an open-source learning management system, versions 1.11.34 and prior are affected by CVE-2026-30881, a SQL injection vulnerability (CWE-89) in the statistics AJAX endpoint. The date_start and date_end parameters from $_REQUEST are embedded directly into raw SQL strings without proper sanitization. While Database::escape_string() is called downstream, its output is immediately undermined by str_replace("\'", "'"), which restores injected single quotes and fully bypasses the escaping mechanism.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), without changing the scope (S:U). Successful exploitation allows injection of arbitrary SQL statements into database queries, enabling blind time-based and conditional data extraction, with high impacts on confidentiality, integrity, and availability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The issue has been patched in Chamilo LMS version 1.11.36. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44.
Details
- CWE(s)