CVE-2026-33714
Published: 14 April 2026
Summary
CVE-2026-33714 is a high-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Chamilo, an open-source learning management system (LMS), is affected by CVE-2026-33714, a SQL injection vulnerability in version 2.0.0-RC.2. The flaw resides in the statistics AJAX endpoint within the file public/main/inc/ajax/statistics.ajax.php, specifically the users_active action. This issue stems from an incomplete fix for CVE-2026-30881, where the date_start and date_end parameters were sanitized using Security::remove_XSS() for the get_user_registration_by_month action but left unsanitized in users_active, allowing direct interpolation into a SQL query. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-89.
An authenticated administrator can exploit this vulnerability remotely over the network with low complexity. By manipulating the unsanitized date_start and date_end parameters, attackers can perform time-based blind SQL injection, enabling the extraction of arbitrary data from the database.
The Chamilo security advisory (GHSA-w8c4-c7r8-qgw2) and release notes for version 2.0.0 confirm that the issue has been addressed in that release, recommending immediate upgrades from 2.0.0-RC.2 to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22708
Vulnerability details
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters…
more
in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (Chamilo LMS AJAX endpoint) enables exploitation of the application (T1190) and direct arbitrary data extraction from the database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring input validation mechanisms to sanitize or parameterize unsanitized date_start and date_end parameters before SQL query interpolation.
Mandates identification, reporting, and correction of the specific SQL injection flaw fixed in Chamilo version 2.0.0.
Enables detection of SQL injection vulnerabilities like CVE-2026-33714 through regular vulnerability scanning of web applications.