Total
91 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28430 | 1 Chamilo | 1 Chamilo Lms | 2026-03-17 | N/A | 9.8 CRITICAL |
| Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34. | |||||
| CVE-2026-30875 | 1 Chamilo | 1 Chamilo Lms | 2026-03-17 | N/A | 8.8 HIGH |
| Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36. | |||||
| CVE-2026-30876 | 1 Chamilo | 1 Chamilo Lms | 2026-03-17 | N/A | 5.3 MEDIUM |
| Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36. | |||||
| CVE-2026-30881 | 1 Chamilo | 1 Chamilo Lms | 2026-03-17 | N/A | 8.8 HIGH |
| Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although Database::escape_string() is called downstream, its output is immediately neutralized by str_replace("\'", "'", ...), which restores any injected single quotes — effectively bypassing the escaping mechanism entirely. This allows an authenticated attacker to inject arbitrary SQL statements into the database query, enabling blind time-based and conditional data extraction. This issue has been patched in version 1.11.36. | |||||
| CVE-2026-30882 | 1 Chamilo | 1 Chamilo Lms | 2026-03-17 | N/A | 6.1 MEDIUM |
| Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript by breaking out of the attribute context using ">followed by a malicious payload. The vulnerability is triggered when the pagination controls are rendered — which occurs when the number of session categories exceeds 20 (the page limit). This issue has been patched in version 1.11.36. | |||||
| CVE-2026-29041 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 8.8 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequately validate file extensions or enforce safe server-side storage restrictions. As a result, an authenticated low-privileged user can upload a crafted file containing executable code and subsequently execute arbitrary commands on the server. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-55208 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 9.0 CRITICAL |
| Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue. | |||||
| CVE-2025-59544 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 4.3 MEDIUM |
| Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-59543 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 9.0 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-59542 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 9.0 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-59540 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 5.4 MEDIUM |
| Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicious scripts to persist in the database and execute on view. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-59541 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 8.1 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-55289 | 1 Chamilo | 1 Chamilo Lms | 2026-03-09 | N/A | 8.8 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34. | |||||
| CVE-2025-50198 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 4.9 MEDIUM |
| Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50190 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 9.8 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50191 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 7.2 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-52482 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 8.3 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50192 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 9.8 CRITICAL |
| Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50189 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 8.8 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30. | |||||
| CVE-2025-50188 | 1 Chamilo | 1 Chamilo Lms | 2026-03-03 | N/A | 7.2 HIGH |
| Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30. | |||||