Chamilo Chamilo-Lms vulnerabilities
68 known vulnerabilities affecting chamilo/chamilo-lms.
Total CVEs
68
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH31MEDIUM25
Vulnerabilities
Page 1 of 4
CVE-2026-28430P2CRITICALCVSS 9.8fixed in 1.11.342026-03-16
CVE-2026-28430 [CRITICAL] CWE-89 CVE-2026-28430: Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated S
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeov
nvd
CVE-2026-35196P2HIGHCVSS 8.8fixed in 2.0.0-RC.32026-04-14
CVE-2026-35196 [HIGH] CWE-78 CVE-2026-35196: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Com
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly i
nvd
CVE-2025-50187P2CRITICALCVSS 9.8fixed in 1.11.282026-03-02
CVE-2025-50187 [CRITICAL] CWE-95 CVE-2025-50187: Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is ev
Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.
nvd
CVE-2026-29041P2HIGHCVSS 8.8fixed in 1.11.342026-03-06
CVE-2026-29041 [HIGH] CWE-434 CVE-2026-29041: Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an aut
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequately validate file extensions or enforce safe server-si
nvd
CVE-2025-52998P2CRITICALCVSS 9.8fixed in 1.11.302026-03-02
CVE-2025-52998 [CRITICAL] CWE-502 CVE-2025-52998: Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserializati
Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.
nvd
CVE-2026-32931P2HIGHCVSS 8.8fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32931 [HIGH] CWE-434 CVE-2026-32931: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file u
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible
nvd
CVE-2026-30875P2HIGHCVSS 8.8fixed in 1.11.362026-03-16
CVE-2026-30875 [HIGH] CWE-94 CVE-2026-30875: Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vuln
Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An at
nvd
CVE-2026-33704P2HIGHCVSS 8.8fixed in 1.11.382026-04-10
CVE-2026-33704 [HIGH] CWE-434 CVE-2026-33704: Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including stu
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through
nvd
CVE-2026-33707P2CRITICALCVSS 9.8fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33707 [CRITICAL] CWE-640 CVE-2026-33707: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password r
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerab
nvd
CVE-2026-33698P2CRITICALCVSS 9.8fixed in 1.11.382026-04-10
CVE-2026-33698 [CRITICAL] CWE-552 CVE-2026-33698: Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and r
nvd
CVE-2026-32892P2HIGHCVSS 8.8fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32892 [HIGH] CWE-78 CVE-2026-32892: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php
nvd
CVE-2026-30881P2HIGHCVSS 8.8v>= 2.0.0-RC.2, < 2.0.02026-03-16
CVE-2026-30881 [HIGH] CWE-89 CVE-2026-30881: Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vuln
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately n
nvd
CVE-2026-33618P2HIGHCVSS 8.8v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33618 [HIGH] CWE-95 CVE-2026-33618: Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unaut
nvd
CVE-2026-40291P2HIGHCVSS 8.8fixed in 2.0-RC.32026-04-14
CVE-2026-40291 [HIGH] CWE-269 CVE-2026-40291: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecu
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security e
nvd
CVE-2026-34160P2HIGHCVSS 8.6fixed in 2.0-RC.32026-04-14
CVE-2026-34160 [HIGH] CWE-306 CVE-2026-34160: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP a
nvd
CVE-2025-50189P3HIGHCVSS 8.8fixed in 1.11.302026-03-02
CVE-2025-50189 [HIGH] CWE-89 CVE-2025-50189: Chamilo is a learning management system. Prior to version 1.11.30, the application performs insuffic
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the d
nvd
CVE-2025-50192P3CRITICALCVSS 9.8fixed in 1.11.302026-03-02
CVE-2025-50192 [CRITICAL] CWE-89 CVE-2025-50192: Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injecti
Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30.
nvd
CVE-2025-50190P3CRITICALCVSS 9.8fixed in 1.11.302026-03-02
CVE-2025-50190 [CRITICAL] CWE-89 CVE-2025-50190: Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injec
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.
nvd
CVE-2024-47886P3HIGHCVSS 7.2v>= 1.11.12, < 1.11.282026-03-02
CVE-2024-47886 [HIGH] CWE-502 CVE-2024-47886: Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserial
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This
nvd
CVE-2025-55208P3CRITICALCVSS 9.0fixed in 1.11.342026-03-05
CVE-2025-55208 [CRITICAL] CWE-79 CVE-2025-55208: Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecur
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue.
nvd
1 / 4Next →