Cyber Posture

CVE-2026-28430

Critical

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 29.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset…

more

mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents the unauthenticated SQL injection via the custom_dates parameter by requiring validation of all information inputs to block arbitrary SQL command execution.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like the SQL injection vulnerability patched in Chamilo LMS version 1.11.34.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Requires vulnerability scanning to identify SQL injection flaws such as CVE-2026-28430 in the application prior to exploitation.

Security SummaryAI

CVE-2026-28430 is an unauthenticated SQL injection vulnerability (CWE-89) affecting Chamilo LMS, an open-source learning management system, in versions prior to 1.11.34. The flaw resides in the handling of the custom_dates parameter, enabling remote attackers to execute arbitrary SQL commands against the backend database. With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it poses a critical risk due to its high confidentiality, integrity, and availability impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. Successful exploitation allows arbitrary SQL execution, potentially dumping the entire database—including personally identifiable information (PII) and system configurations. By chaining the SQL injection with a predictable legacy password reset mechanism, attackers can achieve full administrative account takeover without any prior credentials, granting complete control over the LMS instance.

The vulnerability has been addressed in Chamilo LMS version 1.11.34, as detailed in the project's GitHub release notes (https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34) and security advisory (https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-84gw-qjw9-v8jv). Security practitioners should prioritize upgrading to the patched version and review database access logs for signs of exploitation.

Details

CWE(s)
CWE-89

Affected Products

chamilo
chamilo lms
≤ 1.11.34

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

Unauthenticated SQL injection in a public-facing web application (Chamilo LMS) directly enables T1190 (Exploit Public-Facing Application). Arbitrary SQL execution facilitates dumping database contents, mapping to T1213.006 (Data from Information Repositories: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References