Chamilo LMS CRITICAL vuln (CVE-2026-32892): OS Command Injection via move_to POST param in fileManage.lib.php. Auth'd teachers can run arbitrary commands as www-data. Patch: 1.11.38/2.0.0-RC.3. Details: https://radar.offseq.com/threat/cve-2026-32892-cwe-78-improper-neutralization-of-s-5b2019d4 #OffSeq #Chamilo #CVE202632892 #infosec