A vulnerability was found in Chamilo LMS up to 1.11.35 . It has been rated as critical . Impacted is the function Database::escape_string of the component AJAX Endpoint . The manipulation leads to sql injection. This vulnerability is listed as CVE-2026-30881 . The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.