Chamilo LMS, a widely used open-source learning management system, suffers from a critical SQL injection vulnerability identified as CVE-2026-28430. This vulnerability exists in versions prior to 1.11.34 and is triggered via the custom_dates parameter, which is improperly sanitized, allowing attackers to inject malicious SQL commands. The flaw is unauthenticated, meaning no login or prior credentials are required to exploit it remotely. Attackers can leverage this injection to manipulate the backend database, extracting sensitive data such as PII and system configurations. Furthermore, the vulnerability can be chained with a legacy password reset mechanism that is predictable, enabling attackers to escalate privileges and take over administrative accounts fully. This combination significantly increases the threat impact, as it grants complete control over the LMS environment. The vulnerability has been assigned a CVSS 4.0 base score of 9.3 (critical), reflecting its high impact on confidentiality and integrity, ease of exploitation, and lack of required authentication or user interaction. The issue was publicly disclosed on March 16, 2026, and patched in version 1.11.34. No public exploits have been reported yet, but the severity and potential impact necessitate immediate remediation.

The exploitation of CVE-2026-28430 can have devastating consequences for organizations using vulnerable Chamilo LMS versions. Attackers can gain unauthorized access to sensitive educational data, including student and staff PII, grades, and other confidential information. Full administrative account takeover enables attackers to manipulate course content, user permissions, and system settings, potentially disrupting educational operations and damaging organizational reputation. The exposure of system configurations can facilitate further lateral movement within the network or enable additional attacks. Educational institutions, training providers, and any organizations relying on Chamilo LMS face risks of data breaches, compliance violations (e.g., GDPR), and operational downtime. The unauthenticated nature and ease of exploitation increase the likelihood of attacks, especially if the legacy password reset mechanism remains active. The impact extends beyond data loss to include potential long-term compromise of IT infrastructure.

Organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, where this vulnerability is patched. If immediate upgrade is not feasible, apply any available vendor-provided patches or workarounds that sanitize the custom_dates parameter input. Disable or secure the legacy password reset mechanism to prevent privilege escalation via chaining. Implement web application firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the custom_dates parameter. Conduct thorough audits of LMS logs and database access for signs of exploitation. Enforce strict input validation and parameterized queries in any custom integrations with Chamilo LMS. Regularly review and update password reset workflows to ensure they are not predictable or vulnerable. Finally, educate administrators and users about the risks and signs of compromise related to this vulnerability.