CVE-2026-32892

CriticalRCE

Published: 10 April 2026

Published

10 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32892 is a critical-severity OS Command Injection (CWE-78) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user-supplied move_to path parameters and backup import filenames to reject shell metacharacters before concatenation into exec() commands.

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection flaw by applying vendor patches (1.11.38 or 2.0.0-RC.3) that properly escape or sanitize inputs in fileManage.lib.php.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on input types for file paths and directory names to limit shell metacharacters, complementing validation during document moves and course backup imports.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables OS command injection via unescaped user input to exec() shell commands (Unix Shell - T1059.004) in a public-facing web application (Exploit Public-Facing Application - T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without…

using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Deeper analysisAI

CVE-2026-32892 is an OS Command Injection vulnerability (CWE-78) in Chamilo LMS, an open-source learning management system. It affects versions prior to 1.11.38 and 2.0.0-RC.3, specifically in the move() function within fileManage.lib.php. This function passes user-controlled path values from the move_to POST parameter—filtered only by Security::remove_XSS(), an HTML-only sanitizer—directly into exec() shell commands like "mv $source $target" without proper escaping via escapeshellarg(). The issue was published on 2026-04-10 with a CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Any authenticated user in Chamilo LMS can exploit this vulnerability, as the platform defaults to allow_users_to_create_courses = true, enabling users to self-register as teachers in their own courses. Attackers first place a directory containing shell metacharacters on the filesystem via Course Backup Import, then trigger exploitation by moving a document into that directory through document.php. This results in arbitrary command execution with the privileges of the web server user, such as www-data, allowing high-impact confidentiality, integrity, and availability violations across the scope.

The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3, with fixes implemented in GitHub commits 3597b19b73d73d681e4fb503285e9bbfe71714bf and 62671e5e268f235cddfba704edee90f35c234df1. The official security advisory at GHSA-59cv-qh65-vvrr provides further details on the patches, recommending immediate upgrades to mitigate the risk.

Details

CWE(s): CWE-78

Affected Products

chamilo

chamilo lms

2.0.0 · ≤ 1.11.38

CVEs Like This One

CVE-2026-35196Same product: Chamilo Chamilo Lms

CVE-2025-50195Same product: Chamilo Chamilo Lms

CVE-2025-50197Same product: Chamilo Chamilo Lms

CVE-2025-50196Same product: Chamilo Chamilo Lms

CVE-2025-50194Same product: Chamilo Chamilo Lms

CVE-2025-50193Same product: Chamilo Chamilo Lms

CVE-2026-33618Same product: Chamilo Chamilo Lms

CVE-2025-50188Same product: Chamilo Chamilo Lms

CVE-2024-47886Same product: Chamilo Chamilo Lms

CVE-2025-52469Same product: Chamilo Chamilo Lms

References

https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf
Patch · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1
Patch · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr
Vendor Advisory · security-advisories@github.com