CVE-2026-35196
Received Received - Intake
OS Command Injection in Chamilo LMS Allows Remote Code Execution

Publication date: 2026-04-14

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35196
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms 2.0.0
chamilo chamilo_lms to 1.11.38 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Chamilo LMS versions prior to 2.0.0-RC.3. It is an OS Command Injection flaw found in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action.

The issue arises because the course code, retrieved from the session variable $_SESSION['_cid'] via the api_get_course_id() function, is directly concatenated into a shell_exec() command string without proper sanitization or escaping.

If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can execute arbitrary commands on the underlying server.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary commands on the server, potentially leading to unauthorized access to sensitive data, alteration of application and database contents, and disruption of server availability.

Such unauthorized access and data manipulation could result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information, maintaining data integrity, and ensuring system availability.

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the server hosting Chamilo LMS.

  • Read sensitive system files and credentials.
  • Alter the application and its database.
  • Disrupt server availability, potentially causing denial of service.
Mitigation Strategies

To mitigate this vulnerability, upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.

Avoid using vulnerable versions prior to 2.0.0-RC.3, as they allow OS command injection via unsanitized session variables.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart