A vulnerability was found in Chamilo LMS up to 1.11.33 and classified as critical . This affects an unknown part of the component Legacy Password Reset Handler . Such manipulation of the argument custom_dates leads to sql injection. This vulnerability is referenced as CVE-2026-28430 . It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.