Chamilo LMS OS Command Injection: A Session Poisoning Nightmare

The National Vulnerability Database (NVD) has flagged CVE-2026-35196, a critical OS Command Injection vulnerability in Chamilo LMS, an open-source learning management system. This flaw, present in versions prior to 2.0.0-RC.3, resides within the main/inc/ajax/gradebook.ajax.php endpoint, specifically in the export_all_certificates action.

According to the NVD, the issue stems from the course code (_cid) variable, which is pulled directly from the user’s session ($_SESSION['_cid']) via api_get_course_id() and then concatenated without proper sanitization or escaping into a shell_exec() command string. This is a classic command injection scenario: if an attacker can manipulate or ‘poison’ their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Such a breach could grant full access to sensitive system files and credentials, allow for application and database alteration, or even enable server disruption. This serious vulnerability has been addressed in version 2.0.0-RC.3 of Chamilo LMS, earning a CVSS score of 8.8 (HIGH) and falling under CWE-78.