Chamilo Lms vulnerabilities
121 known vulnerabilities affecting chamilo/chamilo_lms.
Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH47MEDIUM57
Vulnerabilities
Page 1 of 7
CVE-2023-4220P1MEDIUMCVSS 6.1ExploitedPoC≤ 1.11.242023-11-28
CVE-2023-4220 [MEDIUM] CWE-434 CVE-2023-4220: Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
nvd
CVE-2026-28430P2CRITICALCVSS 9.8fixed in 1.11.342026-03-16
CVE-2026-28430 [CRITICAL] CWE-89 CVE-2026-28430: Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated S
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeov
nvd
CVE-2026-35196P2HIGHCVSS 8.8≤ 1.11.38v2.0.02026-04-14
CVE-2026-35196 [HIGH] CWE-78 CVE-2026-35196: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Com
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly i
nvd
CVE-2025-50187P2CRITICALCVSS 9.8fixed in 1.11.282026-03-02
CVE-2025-50187 [CRITICAL] CWE-95 CVE-2025-50187: Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is ev
Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.
nvd
CVE-2026-29041P2HIGHCVSS 8.8fixed in 1.11.342026-03-06
CVE-2026-29041 [HIGH] CWE-434 CVE-2026-29041: Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an aut
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequately validate file extensions or enforce safe server-si
nvd
CVE-2018-1999019P2CRITICALCVSS 9.8v1.11.0v1.11.2+3 more2018-07-23
CVE-2018-1999019 [CRITICAL] CWE-94 CVE-2018-1999019: Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for t
Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After
nvd
CVE-2025-52998P2CRITICALCVSS 9.8fixed in 1.11.302026-03-02
CVE-2025-52998 [CRITICAL] CWE-502 CVE-2025-52998: Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserializati
Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.
nvd
CVE-2019-13082P2CRITICALCVSS 9.8v1.11.82019-06-30
CVE-2019-13082 [CRITICAL] CWE-434 CVE-2019-13082: Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated fil
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server wi
nvd
CVE-2026-32931P2HIGHCVSS 8.8fixed in 1.11.38v2.0.02026-04-10
CVE-2026-32931 [HIGH] CWE-434 CVE-2026-32931: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file u
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible
nvd
CVE-2026-30875P2HIGHCVSS 8.8fixed in 1.11.362026-03-16
CVE-2026-30875 [HIGH] CWE-94 CVE-2026-30875: Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vuln
Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An at
nvd
CVE-2026-33704P2HIGHCVSS 8.8fixed in 1.11.382026-04-10
CVE-2026-33704 [HIGH] CWE-434 CVE-2026-33704: Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including stu
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through
nvd
CVE-2026-33707P2CRITICALCVSS 9.8fixed in 1.11.38v2.0.02026-04-10
CVE-2026-33707 [CRITICAL] CWE-640 CVE-2026-33707: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password r
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerab
nvd
CVE-2026-33698P2CRITICALCVSS 9.8fixed in 1.11.382026-04-10
CVE-2026-33698 [CRITICAL] CWE-552 CVE-2026-33698: Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise
Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and r
nvd
CVE-2026-32892P2HIGHCVSS 8.8fixed in 1.11.38v2.0.02026-04-10
CVE-2026-32892 [HIGH] CWE-78 CVE-2026-32892: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php
nvd
CVE-2026-30881P2HIGHCVSS 8.8fixed in 1.11.362026-03-16
CVE-2026-30881 [HIGH] CWE-89 CVE-2026-30881: Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vuln
Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately n
nvd
CVE-2026-33618P2HIGHCVSS 8.8v2.0.02026-04-10
CVE-2026-33618 [HIGH] CWE-95 CVE-2026-33618: Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unaut
nvd
CVE-2026-40291P2HIGHCVSS 8.8≤ 1.11.38v2.0.02026-04-14
CVE-2026-40291 [HIGH] CWE-269 CVE-2026-40291: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecu
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security e
nvd
CVE-2026-34160P2HIGHCVSS 8.6≤ 1.11.38v2.0.02026-04-14
CVE-2026-34160 [HIGH] CWE-306 CVE-2026-34160: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP a
nvd
CVE-2013-6787P3MEDIUMCVSS 6.0PoC≤ 1.9.6v1.8.6.2+8 more2013-12-05
CVE-2013-6787 [MEDIUM] CWE-89 CVE-2013-6787: SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo
SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL commands via the "password0" parameter.
nvd
CVE-2025-50189P3HIGHCVSS 8.8fixed in 1.11.302026-03-02
CVE-2025-50189 [HIGH] CWE-89 CVE-2025-50189: Chamilo is a learning management system. Prior to version 1.11.30, the application performs insuffic
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the d
nvd
1 / 7Next →