Chamilo LMS, an open-source learning management system, suffers from an OS command injection vulnerability identified as CVE-2025-50193 (CWE-78) in versions prior to 1.11.30. The vulnerability resides in the import.php script located at /plugin/vchamilo/views/, where the POST parameter 'to_main_database' is not properly neutralized before being used in OS command execution. This improper sanitization allows an attacker with high-level privileges to inject and execute arbitrary commands on the server hosting the LMS. The vulnerability does not require user interaction but does require the attacker to have authenticated access with elevated privileges, which may limit exposure to internal or compromised users. The CVSS 4.0 base score is 7.1, reflecting high severity due to the network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The issue was publicly disclosed in March 2026 and has been addressed in Chamilo LMS version 1.11.30. No known active exploits have been reported, but the potential for severe impact remains significant given the nature of the vulnerability and the critical role of LMS platforms in educational and organizational environments.

If exploited, this vulnerability could allow attackers to execute arbitrary OS commands on the server hosting Chamilo LMS, potentially leading to complete system compromise. This includes unauthorized access to sensitive educational data, modification or deletion of records, disruption of LMS services, and use of the compromised server as a pivot point for further attacks within the network. The integrity and confidentiality of user data and course materials could be severely affected. Given the LMS's role in managing critical educational workflows, availability impacts could disrupt learning activities and organizational operations. However, exploitation requires authenticated access with high privileges, which somewhat limits the attack surface to insiders or attackers who have already compromised user credentials with elevated rights. Organizations relying on vulnerable versions face risks of data breaches, service outages, and reputational damage.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability is patched. Additionally, implement strict access controls to limit high-privilege user accounts and monitor their activity for suspicious behavior. Employ network segmentation to isolate LMS servers from critical infrastructure to reduce lateral movement risks. Conduct regular audits of user privileges and enforce the principle of least privilege. Deploy web application firewalls (WAFs) with rules designed to detect and block OS command injection attempts targeting the vulnerable parameter. Enable detailed logging and alerting on LMS servers to detect anomalous command execution or unauthorized access attempts. Finally, educate administrators and users about the risks of privilege misuse and ensure timely application of security updates.