CVE-2026-35196
Chamilo LMS has OS Command Injection via export_all_certificates action
In short
Chamilo LMS allows attackers to run arbitrary commands on the server by injecting shell commands through a manipulated course code in the certificate export feature. This can lead to complete server compromise, including theft of files and credentials.
Technical detail
OS Command Injection in gradebook.ajax.php export_all_certificates action where unsanitized $_SESSION['_cid'] is concatenated into shell_exec() without escapeshellarg(). Attack requires session manipulation to inject shell metacharacters; successful exploitation results in arbitrary command execution with application privileges, enabling data exfiltration, system modification, and denial of service.
Summary generated and translated by AI from the official description.
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
chamilo · chamilo-lmspublic PoCs found — 1
githubgithub.com/kx00007/CVE-2026-35196★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →