CVE-2026-32892: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in chamilo chamilo-lms
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
AI Analysis
Technical Summary
Chamilo LMS suffers from an OS Command Injection vulnerability (CWE-78) in the move() function of fileManage.lib.php, where user-controlled input from the move_to POST parameter is concatenated directly into shell commands without proper escaping. Authenticated users with teacher roles can exploit this by creating directories with shell metacharacters and moving documents into them, leading to arbitrary command execution as the web server user (www-data). The vulnerability affects Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 and has a CVSS 3.1 score of 9.1, indicating critical severity. The issue is resolved in versions 1.11.38 and 2.0.0-RC.3.
Potential Impact
Successful exploitation allows an authenticated user with teacher privileges to execute arbitrary OS commands on the server with the permissions of the web server user (www-data). This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is critical due to its high CVSS score (9.1) and the potential for complete system takeover.
Mitigation Recommendations
This vulnerability is fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. Users should upgrade to one of these versions or later to remediate the issue. Until patched, restrict teacher role assignments to trusted users only and avoid importing course backups from untrusted sources to reduce exploitation risk. Patch status is not explicitly stated beyond the fixed versions; therefore, verify with the vendor advisory for the latest remediation guidance.
CVE-2026-32892: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in chamilo chamilo-lms
Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Chamilo LMS suffers from an OS Command Injection vulnerability (CWE-78) in the move() function of fileManage.lib.php, where user-controlled input from the move_to POST parameter is concatenated directly into shell commands without proper escaping. Authenticated users with teacher roles can exploit this by creating directories with shell metacharacters and moving documents into them, leading to arbitrary command execution as the web server user (www-data). The vulnerability affects Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 and has a CVSS 3.1 score of 9.1, indicating critical severity. The issue is resolved in versions 1.11.38 and 2.0.0-RC.3.
Potential Impact
Successful exploitation allows an authenticated user with teacher privileges to execute arbitrary OS commands on the server with the permissions of the web server user (www-data). This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is critical due to its high CVSS score (9.1) and the potential for complete system takeover.
Mitigation Recommendations
This vulnerability is fixed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3. Users should upgrade to one of these versions or later to remediate the issue. Until patched, restrict teacher role assignments to trusted users only and avoid importing course backups from untrusted sources to reduce exploitation risk. Patch status is not explicitly stated beyond the fixed versions; therefore, verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-16T21:03:44.422Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d93c061cc7ad14dada4d4c
Added to database: 4/10/2026, 6:05:58 PM
Last enriched: 4/18/2026, 2:22:18 PM
Last updated: 5/25/2026, 9:30:44 PM
Views: 86
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.