{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33714", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:06:05.747Z", "datePublished": "2026-04-14T21:00:19.259Z", "dateUpdated": "2026-04-15T20:03:16.195Z"}, "containers": {"cna": {"title": "Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": ">= 2.0.0-RC.2, < 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:00:19.259Z"}, "descriptions": [{"lang": "en", "value": "Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0."}], "source": {"advisory": "GHSA-w8c4-c7r8-qgw2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:58:53.531256Z", "id": "CVE-2026-33714", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:03:16.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:58:53.531256Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:59:32.355Z"}}], "cna": {"title": "Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)", "source": {"advisory": "GHSA-w8c4-c7r8-qgw2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": ">= 2.0.0-RC.2, < 2.0.0"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:00:19.259Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33714", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:03:16.195Z", "dateReserved": "2026-03-23T17:06:05.747Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:00:19.259Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0."}], "id": "CVE-2026-33714", "lastModified": "2026-04-23T14:55:39.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T21:16:25.893", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-RC.2,2.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-14T22:25:16.667992+00:00", "value": {"mitigation_remediation": ["Upgrade to Chamilo LMS version 2.0.0 or later, where the users_active action sanitization has been added", "If upgrading is not immediately possible, limit the exposure of administrative functions by enforcing strong authentication, such as multi\u2011factor authentication, and restricting network access to the admin interfaces", "As a temporary patch, modify the statistics.ajax.php file to use prepared statements or otherwise strictly validate and escape the date_start and date_end parameters in the users_active action to prevent injection"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "Chamilo LMS version 2.0.0\u2011RC2 is affected. The flaw resides in public/main/inc/ajax/statistics.ajax.php. All installations running this release run the risk of exploitation.", "description_and_impact": "The vulnerability is an authenticated SQL injection in the Chamilo LMS statistics AJAX endpoint. An administrator can supply unsanitized date_start and date_end parameters in the users_active action, where they are directly interpolated into a SQL query. This allows a time\u2011based blind injection that enables the extraction of arbitrary data from the database, exposing confidential information and violating data confidentiality. The weakness is a classic SQL injection (CWE\u201189) and is evidenced by the missing input sanitization.", "risk_and_exploitability": "The vulnerability carries a high severity measured by a CVSS score of 7.1. Exploitability is constrained to authenticated administrators; an attacker must first compromise an admin account or benefit from a privileged role. Time\u2011based blind attacks can be performed with minimal user interaction, but they can be detectable due to the delay introduced. The EPSS score is not available, and the flaw is currently not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that there are no widespread public exploitation reports yet. Nevertheless, an organization that experiences admin credential compromise can exploit the flaw to exfiltrate data."}}}}, "created": "2026-04-15T13:48:23.626581+00:00", "updated": "2026-04-15T14:31:57.038604+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}