CVE-2026-32892
Received Received - Intake
OS Command Injection in Chamilo LMS File Move Function

Publication date: 2026-04-10

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter β€” which only passes through Security::remove_XSS() (an HTML-only filter) β€” is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32892
EUVD
EUVD-2026-21524
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (exc)
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker with teacher-level privileges to execute arbitrary OS commands remotely, resulting in a complete compromise of confidentiality, integrity, and availability of the affected system.

Such a compromise can lead to unauthorized access and exfiltration of sensitive data including database credentials, user data, grades, and documents.

Because of this, the vulnerability poses significant risks to compliance with data protection regulations and standards such as GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches.

Failure to remediate this vulnerability could result in violations of these regulations due to potential data breaches and loss of data integrity.

Executive Summary

CVE-2026-32892 is a critical OS Command Injection vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability exists in the move() function within the fileManage.lib.php file, where user-supplied path parameters are passed directly into shell commands executed via PHP's exec() without proper escaping. Specifically, the move_to POST parameter is only filtered by an HTML-focused function and then concatenated into shell commands like exec("mv $source $target"), allowing injection of arbitrary OS commands.

Any authenticated user with a teacher role can exploit this vulnerability by first creating a directory with shell metacharacters in its name (possible via Course Backup Import), then moving a document into this directory to trigger arbitrary command execution as the web server user (www-data). This leads to remote code execution without user interaction.

Impact Analysis

This vulnerability allows an attacker with teacher-level privileges to execute arbitrary OS commands remotely on the server running Chamilo LMS. The impact includes full remote code execution (RCE), which can lead to complete compromise of the system's confidentiality, integrity, and availability.

  • Execution of arbitrary commands as the web server user (www-data).
  • Compromise of the server, including access to sensitive data such as database credentials, user data, grades, and documents.
  • Lateral movement within internal networks.
  • Establishment of persistence through backdoors or cron jobs.
Detection Guidance

This vulnerability involves OS command injection through unsanitized shell command execution in Chamilo LMS, specifically via the move() function and related exec() calls. Detection can focus on monitoring for unusual or unauthorized shell command executions initiated by the web server user (www-data), especially commands involving 'mv' or other file operations with suspicious parameters.

To detect exploitation attempts, you can monitor web server logs for POST requests to document.php with the 'move_to' parameter containing shell metacharacters or suspicious directory names.

Additionally, monitoring process executions or command histories for exec or shell_exec calls with unescaped arguments related to file moves or document handling can help identify exploitation.

Example commands to help detect suspicious activity might include:

  • Check web server access logs for suspicious POST requests: grep 'document.php' /var/log/apache2/access.log | grep 'move_to='
  • Monitor running processes for suspicious mv commands executed by www-data: ps -u www-data -o pid,cmd | grep mv
  • Audit shell command executions by the web server user using auditd or similar tools to detect exec or shell_exec calls with unusual arguments.
  • Look for directories with shell metacharacters in their names created via Course Backup Import or other means.
Mitigation Strategies

Immediate mitigation steps include applying the official patches that sanitize all shell command inputs using PHP's escapeshellarg() function to prevent command injection.

Specifically, update Chamilo LMS to version 1.11.38 or later (or 2.0.0-RC.3 or later) where the vulnerability is fixed.

If immediate patching is not possible, restrict access to the affected functionality by limiting teacher role permissions or disabling course creation and document moving features temporarily.

Implement strict access control checks to ensure only authorized users can execute file move operations.

Consider replacing shell command executions with PHP-native or Symfony Filesystem functions to eliminate the command injection attack surface.

Monitor and audit system logs for suspicious activity related to this vulnerability until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart