Chamilo LMS, an open-source learning management system, suffers from an OS command injection vulnerability identified as CVE-2025-50193 (CWE-78) in versions prior to 1.11.30. The vulnerability is located in the import.php script within the /plugin/vchamilo/views/ directory, where the POST parameter 'to_main_database' is improperly sanitized. This improper neutralization of special elements allows an attacker to inject arbitrary OS commands. The CVSS 4.0 base score is 7.1, reflecting high severity due to network attack vector, low attack complexity, no user interaction, but requiring high privileges. The vulnerability impacts confidentiality, integrity, and availability since arbitrary commands can be executed on the host system. The scope is limited to systems running vulnerable Chamilo LMS versions. The flaw was reserved in June 2025 and published in March 2026, with no known exploits in the wild as of now. The vendor patched the issue in version 1.11.30, addressing the input validation flaw. This vulnerability highlights the risk of insufficient input sanitization in web applications, especially those handling critical educational data and user management.

Exploitation of this vulnerability can lead to full system compromise, allowing attackers to execute arbitrary OS commands with the privileges of the Chamilo LMS process. This can result in unauthorized data access or modification, disruption of LMS services, and potential lateral movement within the network. Educational institutions and organizations relying on Chamilo LMS for training and learning management may face data breaches, loss of sensitive student or staff information, and operational downtime. The high severity and ease of exploitation (no user interaction required) increase the risk of targeted attacks, especially in environments where the LMS is exposed to the internet or insufficiently segmented. Although no exploits are currently known in the wild, the vulnerability's characteristics make it a prime candidate for future exploitation attempts.

1. Immediate upgrade to Chamilo LMS version 1.11.30 or later to apply the official patch. 2. Restrict access to the vulnerable import.php endpoint using network-level controls such as firewalls or VPNs to limit exposure. 3. Implement strict input validation and sanitization on all user-supplied data, especially POST parameters, to prevent injection attacks. 4. Enforce the principle of least privilege for the Chamilo LMS service account to minimize impact if compromised. 5. Monitor logs for unusual command execution patterns or unexpected POST requests to the import.php endpoint. 6. Conduct regular security assessments and code reviews focusing on input handling in custom or third-party plugins. 7. Educate administrators on timely patch management and vulnerability disclosure updates for LMS platforms.