Chamilo Chamilo-Lms vulnerabilities
68 known vulnerabilities affecting chamilo/chamilo-lms.
Total CVEs
68
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH31MEDIUM25
Vulnerabilities
Page 4 of 4
CVE-2025-52476P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52476 [MEDIUM] CWE-79 CVE-2025-52476: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. This issue has been patched in version 1.11.30.
nvd
CVE-2026-30882P4MEDIUMCVSS 6.1fixed in 1.11.362026-03-16
CVE-2026-30882 [MEDIUM] CWE-79 CVE-2026-30882: Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflec
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScrip
nvd
CVE-2025-52563P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52563 [MEDIUM] CWE-79 CVE-2025-52563: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. This issue has been patched in version 1.11.30.
nvd
CVE-2026-32893P4MEDIUMCVSS 5.4v>= 2.0.0-alpha.1, < 2.0.0-RC.32026-04-10
CVE-2026-32893 [MEDIUM] CWE-79 CVE-2026-32893: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_bui
nvd
CVE-2025-50186P4MEDIUMCVSS 4.8fixed in 1.11.302026-03-02
CVE-2025-50186 [MEDIUM] CWE-79 CVE-2025-50186: Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XS
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., .csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file vie
nvd
CVE-2025-66447P4MEDIUMCVSS 4.7v>= 1.11.0, < 2.0.0-RC.32026-04-10
CVE-2025-66447 [MEDIUM] CWE-601 CVE-2025-66447: Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicio
Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.
nvd
CVE-2025-59544P4MEDIUMCVSS 4.3fixed in 1.11.342026-03-06
CVE-2025-59544 [MEDIUM] CWE-862 CVE-2025-59544: Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34.
nvd
CVE-2025-52470P4MEDIUMCVSS 4.8fixed in 1.11.302026-03-02
CVE-2025-52470 [MEDIUM] CWE-79 CVE-2025-52470: Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XS
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScript payloads. The injected script is later executed w
nvd
← Previous4 / 4