CVE-2026-28430

216.73.216.6

· Published 16/03/2026 20:16 · Modified 17/03/2026 18:53

Labels: CVE-2026-28430 2026-03-16 CVE-2026-28430 CWE-89 [email protected]

Essential information

Published: 16/03/2026 20:16
Modified: 17/03/2026 18:53
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34.

NVD status

Status: Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
chamilo / chamilo lms	`cpe:2.3:a:chamilo:chamilo_lms::::::::`