CVE-2025-50194

Chamilo: OS Command Injection in /main/cron/lang/check_parse_lang.php

CVSS 7.1 HIGHEPSS 2.6%CWE-78

In short

Chamilo, a learning management system, has a vulnerability in its language checking tool that allows attackers to run harmful system commands on the server. This can lead to complete server compromise if not patched.

Technical detail

An OS command injection vulnerability exists in /main/cron/lang/check_parse_lang.php prior to version 1.11.30, allowing unauthenticated attackers to execute arbitrary system commands through unsanitized input. The attack vector requires access to the cron endpoint, potentially enabling remote code execution with server privileges.

Summary generated and translated by AI from the official description.

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.30.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

chamilo · chamilo-lms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/chamilo/chamilo-lms/commit/4d07349340543b9c913e76f8cb436a4570500ce2 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-xrr6-wv8p-5v3p