Chamilo LMS, a widely used open-source learning management system, suffers from a critical SQL Injection vulnerability identified as CVE-2026-30881, classified under CWE-89. The vulnerability is located in the statistics AJAX endpoint, where the parameters date_start and date_end are taken directly from user input ($_REQUEST) and embedded into raw SQL queries without proper sanitization. Although the code attempts to sanitize inputs using Database::escape_string(), this is undermined by a subsequent str_replace call that replaces escaped single quotes (\') back to unescaped single quotes ('), effectively nullifying the escaping mechanism. This flawed sanitization allows an authenticated attacker to inject arbitrary SQL commands into the database query. The attack vector does not require user interaction beyond authentication, and the vulnerability enables blind time-based and conditional data extraction techniques, allowing attackers to exfiltrate sensitive information from the database. The vulnerability affects all Chamilo LMS versions prior to 1.11.36, where the issue has been fixed. The CVSS v3.1 base score is 8.8, reflecting high severity with network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild, but the vulnerability presents a significant risk due to the ease of exploitation and potential data compromise.

The SQL Injection vulnerability in Chamilo LMS can have severe consequences for organizations using affected versions. Attackers with valid credentials can exploit this flaw to execute arbitrary SQL commands, leading to unauthorized data disclosure, modification, or deletion. This compromises the confidentiality, integrity, and availability of the LMS database, potentially exposing sensitive user information, course content, and administrative data. The ability to perform blind time-based and conditional data extraction means attackers can stealthily exfiltrate data without immediate detection. Additionally, manipulation of database content could disrupt LMS functionality, causing denial of service or data corruption. Educational institutions, training providers, and enterprises relying on Chamilo LMS for critical learning infrastructure face risks of reputational damage, regulatory non-compliance (especially with data protection laws), and operational disruption if exploited. The network-exploitable nature and low complexity of the attack increase the likelihood of exploitation once credentials are compromised or leaked.

Organizations should immediately upgrade Chamilo LMS to version 1.11.36 or later, where the vulnerability is patched. Until upgrading is possible, implement strict input validation and sanitization on the date_start and date_end parameters at the web application firewall (WAF) or reverse proxy level to block malicious payloads. Enforce the principle of least privilege on database accounts used by Chamilo LMS to limit the impact of potential SQL injection. Monitor database and application logs for unusual query patterns or repeated failed attempts targeting the statistics AJAX endpoint. Employ multi-factor authentication (MFA) to reduce the risk of credential compromise, as exploitation requires authentication. Conduct regular security assessments and code reviews focusing on input handling and sanitization practices. Educate administrators and developers about secure coding standards to prevent similar vulnerabilities. Finally, isolate the LMS environment within secure network segments to reduce exposure.