Chamilo LMS, an open-source learning management system, suffers from an OS Command Injection vulnerability identified as CVE-2025-50196 (CWE-78) in versions prior to 1.11.30. The vulnerability is located in the /plugin/vchamilo/views/editinstance.php script, specifically in the handling of the POST parameter 'main_database'. Improper neutralization of special elements in this parameter allows an attacker to inject and execute arbitrary operating system commands. The CVSS 4.0 base score is 7.1, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:H means high privileges required, so this is a correction: PR:H means privileges required), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability rated as high or low accordingly. Exploitation requires the attacker to have high privileges on the system, but no user interaction is needed. The vulnerability does not involve scope changes or security controls bypass. This flaw can lead to full system compromise if exploited, allowing attackers to execute arbitrary commands, potentially leading to data theft, system disruption, or further lateral movement. The issue was reserved in June 2025 and published in March 2026, with no known exploits in the wild reported yet. The vendor patched the vulnerability in Chamilo LMS version 1.11.30, addressing the improper input sanitization that allowed command injection.

The vulnerability poses a significant risk to organizations using affected versions of Chamilo LMS, especially educational institutions and enterprises relying on this platform for e-learning and training. Successful exploitation can lead to arbitrary command execution on the underlying server, resulting in full system compromise. This can cause unauthorized data access or exfiltration, data integrity violations, service disruption, and potential pivoting to other internal systems. Given the high privileges required, the threat is more relevant to insiders or attackers who have already gained elevated access. However, the network attack vector means that if an attacker can obtain such privileges remotely, the impact is severe. The compromise of LMS systems can disrupt critical educational services and expose sensitive user data, including personal and academic records. Additionally, compromised LMS servers can be used as footholds for further attacks within an organization's network.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later to apply the official patch that fixes this vulnerability. Until the upgrade is possible, restrict access to the affected endpoint (/plugin/vchamilo/views/editinstance.php) through network segmentation and firewall rules, limiting it to trusted administrators only. Implement strict input validation and sanitization on all parameters, especially those that interact with system commands. Conduct thorough privilege audits to ensure that only necessary users have high-level access to the LMS system. Monitor logs for unusual command execution patterns or unexpected POST requests to the vulnerable parameter. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block command injection attempts. Regularly review and update security policies related to LMS platforms and conduct security awareness training for administrators. Finally, perform post-patch vulnerability scans and penetration tests to confirm the vulnerability has been fully remediated.