Chamilo Lms vulnerabilities
121 known vulnerabilities affecting chamilo/chamilo_lms.
Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH47MEDIUM57
Vulnerabilities
Page 5 of 7
CVE-2025-52468P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52468 [MEDIUM] CWE-79 CVE-2025-52468: Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) pay
nvd
CVE-2026-32932P4MEDIUMCVSS 6.1fixed in 1.11.38v2.0.02026-04-10
CVE-2026-32932 [MEDIUM] CWE-601 CVE-2026-32932: Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulne
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This
nvd
CVE-2025-59540P4MEDIUMCVSS 5.4fixed in 1.11.342026-03-06
CVE-2025-59540 [MEDIUM] CWE-79 CVE-2025-59540: Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicio
nvd
CVE-2023-39582P4MEDIUMCVSS 4.9≥ 1.11, ≤ 1.11.202023-09-01
CVE-2023-39582 [MEDIUM] CWE-89 CVE-2023-39582: SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.
nvd
CVE-2025-50198P4MEDIUMCVSS 4.9fixed in 1.11.302026-03-02
CVE-2025-50198 [MEDIUM] CWE-502 CVE-2025-50198: Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserial
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version 1.11.30.
nvd
CVE-2025-69581P4MEDIUMCVSS 5.5v1.11.22026-01-16
CVE-2025-69581 [MEDIUM] CWE-524 CVE-2025-69581: An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes f
An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profilin
nvd
CVE-2023-34959P4MEDIUMCVSS 5.3≥ 1.11.0, ≤ 1.11.182023-06-08
CVE-2023-34959 [MEDIUM] CWE-918 CVE-2023-34959: An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.
nvd
CVE-2026-30876P4MEDIUMCVSS 5.3fixed in 1.11.362026-03-16
CVE-2026-30876 [MEDIUM] CWE-204 CVE-2026-30876: Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user
Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
nvd
CVE-2025-52475P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52475 [MEDIUM] CWE-79 CVE-2025-52475: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.
nvd
CVE-2025-52476P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52476 [MEDIUM] CWE-79 CVE-2025-52476: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. This issue has been patched in version 1.11.30.
nvd
CVE-2020-23126P4MEDIUMCVSS 6.1v1.11.102021-11-03
CVE-2020-23126 [MEDIUM] CWE-79 CVE-2020-23126: Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affe
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends.
nvd
CVE-2024-30618P4MEDIUMCVSS 6.1v1.11.262024-11-04
CVE-2024-30618 [MEDIUM] CWE-79 CVE-2024-30618: A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to
A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content' parameter of 'group_topics.php'.
nvd
CVE-2026-30882P4MEDIUMCVSS 6.1fixed in 1.11.362026-03-16
CVE-2026-30882 [MEDIUM] CWE-79 CVE-2026-30882: Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflec
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScrip
nvd
CVE-2025-52563P4MEDIUMCVSS 6.1fixed in 1.11.302026-03-02
CVE-2025-52563 [MEDIUM] CWE-79 CVE-2025-52563: Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site s
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. This issue has been patched in version 1.11.30.
nvd
CVE-2018-20327P4MEDIUMCVSS 5.4v1.11.82018-12-21
CVE-2018-20327 [MEDIUM] CWE-79 CVE-2018-20327: Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gra
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
nvd
CVE-2020-23128P4MEDIUMCVSS 4.9v1.11.102021-05-06
CVE-2020-23128 [MEDIUM] CWE-269 CVE-2020-23128: Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions admin
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.
nvd
CVE-2021-37390P4MEDIUMCVSS 6.1fixed in 1.11.142021-08-10
CVE-2021-37390 [MEDIUM] CWE-79 CVE-2021-37390: A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social net
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).
nvd
CVE-2023-31801P4MEDIUMCVSS 6.1v1.11.182023-05-09
CVE-2023-31801 [MEDIUM] CWE-79 CVE-2023-31801: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.
nvd
CVE-2018-20328P4MEDIUMCVSS 5.4v1.11.82018-12-21
CVE-2018-20328 [MEDIUM] CWE-79 CVE-2018-20328: Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, all
Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.
nvd
CVE-2024-51142P4MEDIUMCVSS 5.4v1.11.262024-11-15
CVE-2024-51142 [MEDIUM] CWE-79 CVE-2024-51142: Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file.
nvd