CVE-2026-33714 — HIGH (7.2)

Vulnerability Description

Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.

CVSS Score

7.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Chamilo	Chamilo Lms	2.0.0

Related Weaknesses (CWE)

CWE-89

References

https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0ProductRelease Notes
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2MitigationVendor Advisory

FAQ

What is CVE-2026-33714?

CVE-2026-33714 is a vulnerability with a CVSS score of 7.2 (HIGH). Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. Wh...

How severe is CVE-2026-33714?

CVE-2026-33714 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33714?

Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.