Home / Vulnerability Intelligence / CVE-2026-28430

CVE-2026-28430 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 17, 2026

Chamilo LMS - SQL Injection

Published: March 16, 2026Updated: March 17, 2026Remote Exploitable

Overview

Chamilo LMS < 1.11.34 contains an unauthenticated SQL injection caused by improper sanitization of the custom_dates parameter, letting remote attackers execute arbitrary SQL commands and achieve full administrative takeover, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 8.1%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary SQL commands, access sensitive data, and take over administrative accounts.

Mitigation

Upgrade to version 1.11.34 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 18, 2026

🔴 CVE-2026-28430 - Critical (9.8) Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28430/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-28430
Severity: Critical
CVSS Score: 9.8
Type: sql_injection
Status: confirmed
EPSS: 8.1%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

8.1%Probability of exploitation in the next 30 days