Chamilo LMS, an open-source learning management system, suffers from a critical SQL injection vulnerability identified as CVE-2026-28430 (CWE-89) affecting versions prior to 1.11.34. The vulnerability arises from improper neutralization of special elements in SQL commands, specifically through the 'custom_dates' parameter, which is accessible without authentication. This flaw allows remote attackers to inject arbitrary SQL code, enabling them to manipulate the backend database. By exploiting this injection point and chaining it with a predictable legacy password reset mechanism, attackers can escalate privileges and achieve full administrative account takeover without any prior credentials or user interaction. The impact is severe as it exposes the entire database contents, including sensitive personally identifiable information (PII) and system configuration data, potentially compromising confidentiality and integrity. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact necessitate immediate remediation. The vendor has addressed this vulnerability in Chamilo LMS version 1.11.34 by properly sanitizing the input parameters and fixing the legacy password reset mechanism.

The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands, leading to full administrative account takeover and complete database exposure. This compromises confidentiality by leaking sensitive user data including PII, integrity by allowing unauthorized data manipulation, and availability if attackers modify or delete critical data. Educational institutions and organizations using Chamilo LMS are at risk of data breaches, unauthorized access, and potential disruption of learning services. The attack requires no credentials or user interaction, increasing the likelihood of exploitation. The exposure of system configurations also aids attackers in further lateral movement or persistent access. The critical nature of this vulnerability can lead to severe reputational damage, regulatory penalties related to data protection laws, and operational downtime.

Organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, which contains the official patch addressing this vulnerability. Until the upgrade is applied, implement web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'custom_dates' parameter. Disable or restrict legacy password reset mechanisms if possible, or enforce stronger authentication and validation on password reset workflows. Conduct thorough audits of LMS logs and database integrity to detect any signs of compromise. Employ network segmentation to limit access to the LMS backend database. Regularly back up LMS data and verify backup integrity to enable recovery in case of data corruption or deletion. Educate administrators about the risks of using outdated software and the importance of timely patching. Monitor threat intelligence feeds for any emerging exploits related to this CVE.