CVE-2026-32892 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 10, 2026
Chamilo LMS - OS Command Injection
Published: April 10, 2026Updated: April 10, 2026Remote Exploitable
Overview
Chamilo LMS < 1.11.38 and < 2.0.0-RC.3 contains an OS command injection caused by unsanitized user input in move() function in fileManage.lib.php, letting authenticated teacher users execute arbitrary commands as web server user, exploit requires attacker to create a directory with shell metacharacters.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Authenticated teacher users can execute arbitrary OS commands as the web server user, potentially leading to full server compromise.
Mitigation
Upgrade to versions 1.11.38 or 2.0.0-RC.3 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-32892
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- command_injection
- Status
- new
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H