CVE-2025-50197
Received Received - Intake
OS Command Injection in Chamilo LMS via new_language Parameter

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50197
EUVD
EUVD-2025-208166
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-50197 is an OS Command Injection vulnerability in Chamilo LMS versions prior to 1.11.30. It occurs in the file /main/admin/sub_language_ajax.inc.php via the POST parameter new_language. The vulnerability arises because user input is not properly validated or sanitized, allowing an attacker with administrator privileges to inject arbitrary system commands or PHP code into language translation files.

The issue is due to improper handling of language variable inputs, where escaping of double quotes is done but backslashes are not properly escaped, enabling code injection. The vulnerability can be exploited by an administrator enabling sub-languages and injecting malicious payloads into language fields, which are then executed when the crafted translation file is accessed.

The patch in version 1.11.30 improves input sanitization by removing cross-site scripting vectors, validating language variable names with strict regular expressions, escaping special characters properly, and refactoring the language variable extraction method to prevent injection or parsing issues.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with administrator privileges to execute arbitrary system commands on the server hosting Chamilo LMS. This can lead to unauthorized code execution, potentially compromising the integrity and availability of the system.'}, {'type': 'paragraph', 'content': 'Specifically, the attacker can inject malicious PHP code into language translation files, which can be triggered remotely when those files are accessed. This can result in system compromise, data manipulation, or denial of service.'}, {'type': 'paragraph', 'content': "The CVSS v4.0 base score of 7.1 reflects a high severity with low confidentiality impact but high integrity and availability impact, meaning the system's data and operation can be seriously affected."}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if the Chamilo LMS instance is running a version prior to 1.11.30 and if the vulnerable endpoint /main/admin/sub_language_ajax.inc.php is accessible.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the POST parameter new_language being improperly sanitized, one way to detect exploitation attempts is to monitor HTTP POST requests to this endpoint for suspicious payloads containing command injection patterns.'}, {'type': 'paragraph', 'content': 'Suggested commands for detection include using network monitoring or web server logs to filter requests to the vulnerable path, for example:'}, {'type': 'list_item', 'content': "Using grep on web server logs to find POST requests to the vulnerable script: grep 'POST /main/admin/sub_language_ajax.inc.php' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "Using a network packet capture tool like tcpdump or tshark to filter HTTP POST requests to the vulnerable path: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/main/admin/sub_language_ajax.inc.php'"}, {'type': 'paragraph', 'content': 'Additionally, scanning the Chamilo LMS version can be done by checking the application version in the admin interface or by inspecting the version file or changelog to confirm if it is older than 1.11.30.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If immediate upgrade is not possible, restrict access to the vulnerable endpoint /main/admin/sub_language_ajax.inc.php to trusted administrators only and disable the "Allow definition and use of sub-languages" option in the administration settings to prevent exploitation.'}, {'type': 'paragraph', 'content': 'Implement strict input validation and sanitization on the server side for the new_language POST parameter to prevent injection of malicious commands.'}, {'type': 'paragraph', 'content': 'Monitor logs and network traffic for suspicious activity targeting the vulnerable endpoint.'}, {'type': 'paragraph', 'content': 'Follow best practices such as enforcing least privilege for administrator accounts and applying security patches promptly.'}] [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart