cbcvebase.

Chamilo Lms vulnerabilities

121 known vulnerabilities affecting chamilo/chamilo_lms.

Total CVEs
121
CISA KEV
0
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL17HIGH47MEDIUM57

Vulnerabilities

Page 6 of 7
CVE-2026-32893P4MEDIUMCVSS 5.4v2.0.02026-04-10
CVE-2026-32893 [MEDIUM] CWE-79 CVE-2026-32893: Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting ( Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_bui
nvd
CVE-2025-50186P4MEDIUMCVSS 4.8fixed in 1.11.302026-03-02
CVE-2025-50186 [MEDIUM] CWE-79 CVE-2025-50186: Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XS Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., .csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file vie
nvd
CVE-2019-1000015P4MEDIUMCVSS 6.1≤ 1.11.82019-02-04
CVE-2019-1000015 [MEDIUM] CWE-79 CVE-2019-1000015: Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability i Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. A ticket can be created with
nvd
CVE-2022-27422P4MEDIUMCVSS 6.1≥ 1.11.0, ≤ 1.11.162022-04-15
CVE-2022-27422 [MEDIUM] CWE-79 CVE-2022-27422: A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to exe A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
nvd
CVE-2023-34961P4MEDIUMCVSS 6.1≥ 1.11.0, ≤ 1.11.182023-06-08
CVE-2023-34961 [MEDIUM] CWE-79 CVE-2023-34961: Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.
nvd
CVE-2023-31807P4MEDIUMCVSS 5.4v1.11.182023-05-09
CVE-2023-31807 [MEDIUM] CWE-79 CVE-2023-31807: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function.
nvd
CVE-2023-31800P4MEDIUMCVSS 5.4v1.11.182023-05-09
CVE-2023-31800 [MEDIUM] CWE-79 CVE-2023-31800: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.
nvd
CVE-2015-9540P4MEDIUMCVSS 6.1≤ 1.9.10.22020-01-04
CVE-2015-9540 [MEDIUM] CVE-2015-9540: Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE- Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503.
nvd
CVE-2023-31804P4MEDIUMCVSS 5.4v1.11.182023-05-09
CVE-2023-31804 [MEDIUM] CWE-79 CVE-2023-31804: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.
nvd
CVE-2023-31802P4MEDIUMCVSS 5.4v1.11.182023-05-09
CVE-2023-31802 [MEDIUM] CWE-79 CVE-2023-31802: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.
nvd
CVE-2023-31806P4MEDIUMCVSS 5.4v1.11.182023-05-09
CVE-2023-31806 [MEDIUM] CWE-79 CVE-2023-31806: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function.
nvd
CVE-2024-30617P4MEDIUMCVSS 5.4v1.11.262024-11-04
CVE-2024-30617 [MEDIUM] CWE-352 CVE-2024-30617: A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," al A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge.
nvd
CVE-2025-66447P4MEDIUMCVSS 4.7≤ 1.11.38v2.0.02026-04-10
CVE-2025-66447 [MEDIUM] CWE-601 CVE-2025-66447: Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicio Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.
nvd
CVE-2023-34958P4MEDIUMCVSS 4.3≥ 1.11.0, ≤ 1.11.182023-06-08
CVE-2023-34958 [MEDIUM] CWE-863 CVE-2023-34958: Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given cour Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.
nvd
CVE-2025-59544P4MEDIUMCVSS 4.3fixed in 1.11.342026-03-06
CVE-2025-59544 [MEDIUM] CWE-862 CVE-2025-59544: Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34.
nvd
CVE-2025-52470P4MEDIUMCVSS 4.8fixed in 1.11.302026-03-02
CVE-2025-52470 [MEDIUM] CWE-79 CVE-2025-52470: Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XS Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScript payloads. The injected script is later executed w
nvd
CVE-2024-27525P4MEDIUMCVSS 4.6v1.11.262024-11-01
CVE-2024-27525 [MEDIUM] CWE-79 CVE-2024-27525: Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate pri Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component.
nvd
CVE-2021-35415P4MEDIUMCVSS 4.8≥ 1.11.0, ≤ 1.11.162021-12-03
CVE-2021-35415 [MEDIUM] CWE-79 CVE-2021-35415: A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.
nvd
CVE-2023-31799P4MEDIUMCVSS 4.8v1.11.182023-05-09
CVE-2023-31799 [MEDIUM] CWE-79 CVE-2023-31799: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the system annnouncements parameter.
nvd
CVE-2023-31805P4MEDIUMCVSS 4.8v1.11.182023-05-09
CVE-2023-31805 [MEDIUM] CWE-79 CVE-2023-31805: Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attac Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function.
nvd
Chamilo Lms vulnerabilities | cvebase