CVE-2026-28430 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 17, 2026
Chamilo LMS - SQL Injection
Overview
Chamilo LMS < 1.11.34 contains an unauthenticated SQL injection caused by improper sanitization of the custom_dates parameter, letting remote attackers execute arbitrary SQL commands and achieve full administrative takeover, exploit requires no authentication.
Severity & Score
Impact
Remote attackers can execute arbitrary SQL commands, access sensitive data, and take over administrative accounts.
Mitigation
Upgrade to version 1.11.34 or later.
References
Social Media Activity(2 posts)
Chamilo LMS < 1.11.34 has a CRITICAL SQL injection vuln (CVE-2026-28430, CVSS 9.3). Unauth attackers can hijack admin accounts & access PII. Upgrade to 1.11.34 ASAP. No public exploits yet. https://radar.offseq.com/threat/cve-2026-28430-cwe-89-improper-neutralization-of-s-36133b16 #OffSeq #SQLInjection #Chamilo #InfoSec
View original post
Chamilo LMS < 1.11.34 has a CRITICAL SQL injection vuln (CVE-2026-28430, CVSS 9.3). Unauth attackers can hijack admin accounts & access PII. Upgrade to 1.11.34 ASAP. No public exploits yet. https://radar.offseq.com/threat/cve-2026-28430-cwe-89-improper-neutralization-of-s-36133b16 #OffSeq #SQLInjection #Chamilo #InfoSec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-28430
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 14.3%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H