Chamilo - Chamilo-lms - CRITICAL - CVE-2026-28430. Chamilo LMS, a widely-used learning management system, contains an unauthenticated SQL injection vulnerability prior to version 1.11.34. This flaw allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By exploiting this vulnerability in conjunction with a legacy password reset mechanism, attackers could gain complete control over administrative accounts without needing prior credentials. Additionally, the vulnerability poses a significant risk as it exposes sensitive information, including personally identifiable information (PII) and system configurations. Users are strongly advised to upgrade to version 1.11.34 or later to mitigate these security risks.