cbcvebase.

Chamilo Lms vulnerabilities

121 known vulnerabilities affecting chamilo/chamilo_lms.

Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH47MEDIUM57

Vulnerabilities

Page 3 of 7
CVE-2022-27423P3CRITICALCVSS 9.8≥ 1.11.0, ≤ 1.11.162022-04-15
CVE-2022-27423 [CRITICAL] CWE-89 CVE-2022-27423: Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id paramet Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
nvd
CVE-2025-55289P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-55289 [CRITICAL] CWE-79 CVE-2025-55289: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerabili Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their b
nvd
CVE-2022-27426P3HIGHCVSS 8.8≥ 1.11.0, ≤ 1.11.162022-04-15
CVE-2022-27426 [HIGH] CWE-918 CVE-2022-27426: A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the inter A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file.
nvd
CVE-2024-30616P3HIGHCVSS 8.8v1.11.262024-11-04
CVE-2024-30616 [HIGH] CWE-863 CVE-2024-30616: Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity.
nvd
CVE-2026-33710P3HIGHCVSS 7.5fixed in 1.11.38v2.0.02026-04-10
CVE-2026-33710 [HIGH] CWE-330 CVE-2026-33710: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are gene Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key
nvd
CVE-2025-50191P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50191 [HIGH] CWE-89 CVE-2025-50191: Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injec Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.
nvd
CVE-2026-33715P3HIGHCVSS 7.2v2.0.02026-04-14
CVE-2026-33715 [HIGH] CWE-306 CVE-2026-33715: Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/ Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer
nvd
CVE-2025-59542P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-59542 [CRITICAL] CWE-79 CVE-2025-59542: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the co
nvd
CVE-2023-34962P3HIGHCVSS 8.1≥ 1.11.0, ≤ 1.11.182023-06-08
CVE-2023-34962 [HIGH] CVE-2023-34962: Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access an Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes.
nvd
CVE-2025-50188P3HIGHCVSS 7.2fixed in 1.11.302026-03-02
CVE-2025-50188 [HIGH] CWE-89 CVE-2025-50188: Chamilo is a learning management system. Prior to version 1.11.30, the application performs insuffic Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the databa
nvd
CVE-2025-59543P3CRITICALCVSS 9.0fixed in 1.11.342026-03-06
CVE-2025-59543 [CRITICAL] CWE-79 CVE-2025-59543: Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course inform
nvd
CVE-2026-31940P3HIGHCVSS 8.8fixed in 1.11.38v2.0.02026-04-10
CVE-2026-31940 [HIGH] CWE-384 CVE-2026-31940: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.p Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
nvd
CVE-2026-33714P3HIGHCVSS 7.2v2.0.02026-04-14
CVE-2026-33714 [HIGH] CVE-2026-33714: Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Inject Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the sam
nvd
CVE-2026-34602P3HIGHCVSS 7.1≤ 1.11.38v2.0.02026-04-14
CVE-2026-34602 [HIGH] CWE-639 CVE-2026-34602: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/ Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The
nvd
CVE-2018-20329P3HIGHCVSS 8.1v1.11.82018-12-21
CVE-2018-20329 [HIGH] CWE-89 CVE-2018-20329: Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information.
nvd
CVE-2024-30619P3HIGHCVSS 7.5v1.11.262024-11-04
CVE-2024-30619 [HIGH] CVE-2024-30619: Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker can request the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get_count_message" AND "/main/inc/ajax/online.ajax.php?a=get_users_online."
nvd
CVE-2025-52469P3HIGHCVSS 7.1fixed in 1.11.302026-03-02
CVE-2025-52469 [HIGH] CWE-841 CVE-2025-52469: Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the frie Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even ad
nvd
CVE-2026-31941P3MEDIUMCVSS 6.5fixed in 1.11.38v2.0.02026-04-10
CVE-2026-31941 [MEDIUM] CWE-918 CVE-2026-31941: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL with
nvd
CVE-2026-33706P3HIGHCVSS 7.1fixed in 1.11.382026-04-10
CVE-2026-33706 [HIGH] CWE-269 CVE-2026-33706: Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST AP Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.
nvd
CVE-2025-52482P3HIGHCVSS 8.3fixed in 1.11.302026-03-02
CVE-2025-52482 [HIGH] CWE-79 CVE-2025-52482: Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.
nvd
Chamilo Lms vulnerabilities | cvebase