Chamilo Chamilo-Lms vulnerabilities
68 known vulnerabilities affecting chamilo/chamilo-lms.
Total CVEs
68
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH31MEDIUM25
Vulnerabilities
Page 3 of 4
CVE-2026-32894P3HIGHCVSS 7.1fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32894 [HIGH] CWE-476 CVE-2026-32894: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Obj
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-
nvd
CVE-2026-32930P3HIGHCVSS 7.1fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32930 [HIGH] CWE-639 CVE-2026-32930: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Obj
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter.
nvd
CVE-2026-33703P3MEDIUMCVSS 6.5fixed in 2.0.0-RC.32026-04-10
CVE-2026-33703 [MEDIUM] CWE-639 CVE-2026-33703: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Referenc
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive
nvd
CVE-2026-34370P3MEDIUMCVSS 6.5fixed in 2.0.0-RC.32026-04-14
CVE-2026-34370 [MEDIUM] CWE-285 CVE-2026-34370: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the noteb
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The
nvd
CVE-2026-33737P3MEDIUMCVSS 6.5fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33737 [MEDIUM] CWE-611 CVE-2026-33737: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use sim
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
nvd
CVE-2026-33702P3HIGHCVSS 7.1fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33702 [HIGH] CWE-639 CVE-2026-33702: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path p
nvd
CVE-2026-33736P3MEDIUMCVSS 6.5v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-33736 [MEDIUM] CWE-639 CVE-2026-33736: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.
nvd
CVE-2026-33141P3MEDIUMCVSS 6.5fixed in 2.0.0-RC.32026-04-10
CVE-2026-33141 [MEDIUM] CWE-639 CVE-2026-33141: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Referenc
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or
nvd
CVE-2025-59541P3HIGHCVSS 8.1fixed in 1.11.342026-03-06
CVE-2025-59541 [HIGH] CWE-352 CVE-2025-59541: Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSR
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result,
nvd
CVE-2026-33708P3MEDIUMCVSS 6.5fixed in 1.11.382026-04-10
CVE-2026-33708 [MEDIUM] CWE-862 CVE-2026-33708: Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.
nvd
CVE-2026-33705P4MEDIUMCVSS 5.3fixed in 1.11.382026-04-10
CVE-2026-33705 [MEDIUM] CWE-538 CVE-2026-33705: Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /mai
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
nvd
CVE-2025-52564P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52564 [MEDIUM] CWE-80 CVE-2025-52564: Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fa
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.
nvd
CVE-2026-34161P4MEDIUMCVSS 5.4fixed in 2.0.0-RC.32026-04-14
CVE-2026-34161 [MEDIUM] CWE-79 CVE-2026-34161: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is se
nvd
CVE-2024-50337P4MEDIUMCVSS 5.3fixed in 1.11.282026-03-02
CVE-2024-50337 [MEDIUM] CWE-918 CVE-2024-50337: Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.
nvd
CVE-2025-52468P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52468 [MEDIUM] CWE-79 CVE-2025-52468: Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) pay
nvd
CVE-2026-32932P4MEDIUMCVSS 6.1fixed in 1.11.38v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32932 [MEDIUM] CWE-601 CVE-2026-32932: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulne
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This
nvd
CVE-2025-59540P4MEDIUMCVSS 5.4fixed in 1.11.342026-03-06
CVE-2025-59540 [MEDIUM] CWE-79 CVE-2025-59540: Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicio
nvd
CVE-2025-50198P4MEDIUMCVSS 4.9fixed in 1.11.302026-03-02
CVE-2025-50198 [MEDIUM] CWE-502 CVE-2025-50198: Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserial
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version 1.11.30.
nvd
CVE-2026-30876P4MEDIUMCVSS 5.3fixed in 1.11.362026-03-16
CVE-2026-30876 [MEDIUM] CWE-204 CVE-2026-30876: Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user
Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
nvd
CVE-2025-52475P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52475 [MEDIUM] CWE-79 CVE-2025-52475: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.
nvd