CVE-2026-33714: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in chamilo chamilo-lms
Chamilo LMS version 2. 0. 0-RC. 2 contains a SQL Injection vulnerability in the statistics AJAX endpoint. This vulnerability is due to incomplete sanitization of the date_start and date_end parameters in the users_active action, allowing an authenticated admin to perform time-based blind SQL injection. The issue was fixed in version 2. 0. 0. The vulnerability has a CVSS score of 7. 1, indicating high severity.
AI Analysis
Technical Summary
Chamilo LMS version 2.0.0-RC.2 has a SQL Injection vulnerability (CWE-89) in the statistics AJAX endpoint, specifically in the users_active action of public/main/inc/ajax/statistics.ajax.php. While a previous CVE (2026-30881) was addressed by sanitizing these parameters in one action, the same parameters remain unsanitized in another action, allowing direct interpolation into SQL queries. An authenticated admin can exploit this to perform time-based blind SQL injection and extract arbitrary database data. The vulnerability is fixed in Chamilo LMS version 2.0.0.
Potential Impact
An authenticated administrator can exploit this vulnerability to perform time-based blind SQL injection, potentially extracting arbitrary data from the Chamilo LMS database. This could lead to unauthorized disclosure of sensitive information stored within the system.
Mitigation Recommendations
This vulnerability has been fixed in Chamilo LMS version 2.0.0. Users should upgrade to version 2.0.0 or later to remediate this issue. Patch status is not explicitly confirmed beyond the version fix note; verify with the vendor advisory for the latest remediation guidance.
CVE-2026-33714: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in chamilo chamilo-lms
Description
Chamilo LMS version 2. 0. 0-RC. 2 contains a SQL Injection vulnerability in the statistics AJAX endpoint. This vulnerability is due to incomplete sanitization of the date_start and date_end parameters in the users_active action, allowing an authenticated admin to perform time-based blind SQL injection. The issue was fixed in version 2. 0. 0. The vulnerability has a CVSS score of 7. 1, indicating high severity.
CVSS v4.0
Score 7.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Chamilo LMS version 2.0.0-RC.2 has a SQL Injection vulnerability (CWE-89) in the statistics AJAX endpoint, specifically in the users_active action of public/main/inc/ajax/statistics.ajax.php. While a previous CVE (2026-30881) was addressed by sanitizing these parameters in one action, the same parameters remain unsanitized in another action, allowing direct interpolation into SQL queries. An authenticated admin can exploit this to perform time-based blind SQL injection and extract arbitrary database data. The vulnerability is fixed in Chamilo LMS version 2.0.0.
Potential Impact
An authenticated administrator can exploit this vulnerability to perform time-based blind SQL injection, potentially extracting arbitrary data from the Chamilo LMS database. This could lead to unauthorized disclosure of sensitive information stored within the system.
Mitigation Recommendations
This vulnerability has been fixed in Chamilo LMS version 2.0.0. Users should upgrade to version 2.0.0 or later to remediate this issue. Patch status is not explicitly confirmed beyond the version fix note; verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T17:06:05.747Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69deaedd82d89c981f01937d
Added to database: 4/14/2026, 9:17:17 PM
Last enriched: 4/22/2026, 6:34:21 AM
Last updated: 5/29/2026, 9:16:59 PM
Views: 51
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.