Home / Vulnerability Intelligence / CVE-2026-30881

CVE-2026-30881 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 17, 2026

Chamilo LMS - SQL Injection

Published: March 16, 2026Updated: March 17, 2026Remote Exploitable

Overview

Chamilo LMS <= 1.11.34 contains a SQL injection caused by improper sanitization of date_start and date_end parameters in the statistics AJAX endpoint, letting authenticated attackers extract data via blind SQL injection.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 2.9%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can extract sensitive data from the database via blind SQL injection, potentially compromising confidentiality.

Mitigation

Update to version 1.11.36 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 16, 2026

🟠 CVE-2026-30881 - High (8.8) Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string withou... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30881/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30881
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 2.9%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.9%Probability of exploitation in the next 30 days