cbcvebase.
CVE-2026-30881
published 2026-03-16

CVE-2026-30881: Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.28%
19.3th percentile
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes — effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36.

Affected

3 ranges
VendorProductVersion rangeFixed in
chamilochamilo-lms
chamilochamilo_lms< 1.11.361.11.36
chamilochamilo_lms

Detection & IOCsextracted from sources · hover to see the quote

pathpublic/main/inc/ajax/statistics.ajax.php
  • Monitor authenticated requests to the statistics AJAX endpoint (statistics.ajax.php) for time-based blind SQL injection patterns in the date_start and date_end parameters, particularly within the users_active action.
  • Detect exploitation of the escape bypass: Database::escape_string() output is immediately neutralized by str_replace("'", "'", ...), restoring injected single quotes. Look for single-quote injection in date_start/date_end parameters reaching the SQL layer.
  • Flag requests to statistics.ajax.php with action=users_active containing SQL time-based payloads (e.g., SLEEP, BENCHMARK, WAITFOR) in date_start or date_end parameters.
  • CVE-2026-33714 is an incomplete fix for CVE-2026-30881: the get_user_registration_by_month action was patched with Security::remove_XSS(), but the users_active action in the same file remains vulnerable. Ensure both actions are covered in detection rules.
  • ·Exploitation requires an authenticated session (attacker must be logged in), so detection should correlate SQL injection attempts with valid authenticated sessions rather than treating it as unauthenticated.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.