{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32892", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-04-10T17:56:57.695Z", "dateUpdated": "2026-04-14T14:07:14.704Z"}, "containers": {"cna": {"title": "OS Command Injection in Chamilo LMS 1.11.36", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf"}, {"name": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.38", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:56:57.695Z"}, "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter \u2014 which only passes through Security::remove_XSS() (an HTML-only filter) \u2014 is concatenated directly into shell commands such as exec(\"mv $source $target\"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "source": {"advisory": "GHSA-59cv-qh65-vvrr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:07:07.082335Z", "id": "CVE-2026-32892", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:07:14.704Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32892", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:07:07.082335Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:07:10.674Z"}}], "cna": {"title": "OS Command Injection in Chamilo LMS 1.11.36", "source": {"advisory": "GHSA-59cv-qh65-vvrr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.38"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.0.0-RC.3"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf", "name": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1", "name": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter \u2014 which only passes through Security::remove_XSS() (an HTML-only filter) \u2014 is concatenated directly into shell commands such as exec(\"mv $source $target\"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T17:56:57.695Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32892", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:07:14.704Z", "dateReserved": "2026-03-16T21:03:44.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T17:56:57.695Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter \u2014 which only passes through Security::remove_XSS() (an HTML-only filter) \u2014 is concatenated directly into shell commands such as exec(\"mv $source $target\"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "id": "CVE-2026-32892", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-10T18:16:41.797", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf"}, {"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1"}, {"source": "security-advisories@github.com", "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.38)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0-alpha.1,2.0.0-RC.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "analysis": {"en": {"generated_at": "2026-04-10T19:22:45.330779+00:00", "value": {"mitigation_remediation": ["Apply the latest Chamilo LMS patch to release 1.11.38 or newer; 2.0.0\u2011RC.3 and later also include the fix.", "If upgrading immediately is not possible, disable or remove the Course Backup Import capability to prevent creation of directories with shell metacharacters.", "Restrict the ability for teachers to move documents or disable the move function entirely until a patch can be applied.", "Set the configuration option allow_users_to_create_courses to false so that only administrators can create courses, limiting the scope of the vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Chamilo LMS, provided by chamilo:chamilo-lms, affects versions prior to 1.11.38 and prior to 2.0.0\u2011RC.3. Users employing 1.11.36 or earlier are vulnerable; the fix is included in the releases 1.11.38 and 2.0.0\u2011RC.3. The vulnerability is tied to the move() function in fileManage.lib.php used by document.php.", "description_and_impact": "Chamilo Learning Management System uses a file move function that directly places user\u2011controlled path values into system shell commands without proper sanitization. This allows authenticated users, specifically teachers who can freely move documents, to inject arbitrary commands. The vulnerability becomes active when a user creates a directory containing shell metacharacters\u2014possible through the Course Backup Import feature\u2014and then moves a document into that directory, causing the web server\u2019s user process to execute unintended commands. The outcome is full control of the web server running the LMS, compromising confidentiality, integrity, and availability of the system and any data stored therein.", "risk_and_exploitability": "The CVSS score of 9.1 indicates high severity. Exploitation requires only an authenticated teacher account and the ability to import a backup or otherwise create a directory name with shell metacharacters; no special conditions beyond those are stated. EPSS data is not available, but the absence from CISA\u2019s KEV catalog does not negate the risk. The attack vector is local to the application but results in remote system compromise. Due to the straightforward exploitation path and elevated privileges required, the likelihood of an attacker successfully leveraging this flaw in an operational environment is considerable."}}}}, "created": "2026-04-13T12:43:32.380095+00:00", "updated": "2026-04-13T12:59:53.423482+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}