Chamilo Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability - CVE-2026-32892

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3 Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php the move_to POST parameter which only passes through Security::remove_XSS() (an HTML-only filter) is concatenated directly into shell commands such as exec(quotmv source targetquot). By default Chamilo allows all authenticated users to create courses (allow_users_to_create_courses true). Any user who is a teacher in a course (including self-created courses) can move documents making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import) then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.