{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-06T00:04:56.699Z", "datePublished": "2026-03-16T19:19:59.782Z", "dateUpdated": "2026-03-16T20:22:42.641Z"}, "containers": {"cna": {"title": "Chamilo LMS: SQL Injection in the statistics AJAX endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.36", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T19:19:59.782Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace(\"\\'\", \"'\", ...), which restores any injected single quotes \u2014 effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36."}], "source": {"advisory": "GHSA-5ggx-x2cv-4h44", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:16:05.528581Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:42.641Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T20:16:05.528581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:28.457Z"}}], "cna": {"title": "Chamilo LMS: SQL Injection in the statistics AJAX endpoint", "source": {"advisory": "GHSA-5ggx-x2cv-4h44", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.36"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace(\"\\'\", \"'\", ...), which restores any injected single quotes \u2014 effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-16T19:19:59.782Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30881", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:42.641Z", "dateReserved": "2026-03-06T00:04:56.699Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-16T19:19:59.782Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "87C4F8D8-CDE4-42B6-8661-0F7823DC1079", "versionEndExcluding": "1.11.36", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace(\"\\'\", \"'\", ...), which restores any injected single quotes \u2014 effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36."}], "id": "CVE-2026-30881", "lastModified": "2026-03-17T18:52:41.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T20:16:18.640", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5ggx-x2cv-4h44"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.36)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-03-17T20:38:01.600584+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to upgrade Chamilo LMS to version 1.11.36 or later", "If immediate patching is not possible, restrict access to the statistics AJAX endpoint to trusted IP ranges or disable the endpoint temporarily", "Verify that no SQL injection is possible by testing the endpoint with values containing single quotes after patching", "Monitor logs for evidence of exploitation, such as unexpected query patterns or repeated failed login attempts"], "summary": {"action": "Immediate Patch", "impact": "Database Data Exfiltration via SQL Injection"}, "threat_synthesis": {"affected_systems": "Affected only Chamilo LMS (chamilo:chamilo-lms) running versions 1.11.34 and older. The fix has been released in 1.11.36.", "description_and_impact": "Chamilo LMS versions 1.11.34 and earlier contain a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end are incorporated directly into a raw SQL string. Although Database::escape_string() is invoked, its output is later neutralized by a str_replace that restores injected single quotes, effectively bypassing the escaping mechanism. This flaw enables an authenticated attacker to inject arbitrary SQL statements, resulting in blind time\u2011based or conditional data extraction, thus compromising database confidentiality.", "risk_and_exploitability": "The CVSS base score is 8.8, indicating high severity, while the EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation currently. It is not listed in the CISA KEV catalog. The vulnerability is exploitable via the web interface\u2019s AJAX endpoint and requires authentication, implying the attack vector is remote but authenticated. No official workaround is available; patching is the only effective remedy."}}}}, "created": "2026-03-17T09:52:12.238926+00:00", "updated": "2026-03-24T10:49:51.955302+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}