CVE-2026-33714
Published: 14 April 2026
Summary
CVE-2026-33714 is a high-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring input validation mechanisms to sanitize or parameterize unsanitized date_start and date_end parameters before SQL query interpolation.
Mandates identification, reporting, and correction of the specific SQL injection flaw fixed in Chamilo version 2.0.0.
Enables detection of SQL injection vulnerabilities like CVE-2026-33714 through regular vulnerability scanning of web applications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (Chamilo LMS AJAX endpoint) enables exploitation of the application (T1190) and direct arbitrary data extraction from the database (T1213.006).
NVD Description
Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters…
more
in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.
Deeper analysisAI
Chamilo, an open-source learning management system (LMS), is affected by CVE-2026-33714, a SQL injection vulnerability in version 2.0.0-RC.2. The flaw resides in the statistics AJAX endpoint within the file public/main/inc/ajax/statistics.ajax.php, specifically the users_active action. This issue stems from an incomplete fix for CVE-2026-30881, where the date_start and date_end parameters were sanitized using Security::remove_XSS() for the get_user_registration_by_month action but left unsanitized in users_active, allowing direct interpolation into a SQL query. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-89.
An authenticated administrator can exploit this vulnerability remotely over the network with low complexity. By manipulating the unsanitized date_start and date_end parameters, attackers can perform time-based blind SQL injection, enabling the extraction of arbitrary data from the database.
The Chamilo security advisory (GHSA-w8c4-c7r8-qgw2) and release notes for version 2.0.0 confirm that the issue has been addressed in that release, recommending immediate upgrades from 2.0.0-RC.2 to mitigate the risk.
Details
- CWE(s)