CVE-2026-32892
Published: 10 April 2026
Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without…
more
using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec("mv $source $target"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied move_to path parameters and backup import filenames to reject shell metacharacters before concatenation into exec() commands.
Directly remediates the command injection flaw by applying vendor patches (1.11.38 or 2.0.0-RC.3) that properly escape or sanitize inputs in fileManage.lib.php.
Enforces restrictions on input types for file paths and directory names to limit shell metacharacters, complementing validation during document moves and course backup imports.
Security SummaryAI
CVE-2026-32892 is an OS Command Injection vulnerability (CWE-78) in Chamilo LMS, an open-source learning management system. It affects versions prior to 1.11.38 and 2.0.0-RC.3, specifically in the move() function within fileManage.lib.php. This function passes user-controlled path values from the move_to POST parameter—filtered only by Security::remove_XSS(), an HTML-only sanitizer—directly into exec() shell commands like "mv $source $target" without proper escaping via escapeshellarg(). The issue was published on 2026-04-10 with a CVSS v3.1 score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Any authenticated user in Chamilo LMS can exploit this vulnerability, as the platform defaults to allow_users_to_create_courses = true, enabling users to self-register as teachers in their own courses. Attackers first place a directory containing shell metacharacters on the filesystem via Course Backup Import, then trigger exploitation by moving a document into that directory through document.php. This results in arbitrary command execution with the privileges of the web server user, such as www-data, allowing high-impact confidentiality, integrity, and availability violations across the scope.
The vulnerability is addressed in Chamilo LMS versions 1.11.38 and 2.0.0-RC.3, with fixes implemented in GitHub commits 3597b19b73d73d681e4fb503285e9bbfe71714bf and 62671e5e268f235cddfba704edee90f35c234df1. The official security advisory at GHSA-59cv-qh65-vvrr provides further details on the patches, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables OS command injection via unescaped user input to exec() shell commands (Unix Shell - T1059.004) in a public-facing web application (Exploit Public-Facing Application - T1190).