Chamilo Chamilo-lms
69 CVEs affecting Chamilo Chamilo-lms. Latest disclosed: 2026-04-14. Critical: 6, High: 24.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-50187 | Critical | 9.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execut… |
CVE-2026-33707 | Critical | 9.4 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no… |
CVE-2026-32892 | Critical | 9.1 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move funct… |
CVE-2025-59543 | Critical | 9.1 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip… |
CVE-2025-59542 | Critical | 9.1 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip… |
CVE-2025-55208 | Critical | 9.1 | 2026-03-05 | Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-priv… |
CVE-2026-40291 | High | 8.8 | 2026-04-14 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api… |
CVE-2026-35196 | High | 8.8 | 2026-04-14 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gr… |
CVE-2026-33618 | High | 8.8 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse pl… |
CVE-2026-30881 | High | 8.8 | 2026-03-16 | Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters d… |
CVE-2026-30875 | High | 8.8 | 2026-03-16 | Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated us… |
CVE-2026-29041 | High | 8.8 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by im… |
CVE-2025-55289 | High | 8.8 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to i… |
CVE-2025-52468 | High | 8.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw… |
CVE-2026-34160 | High | 8.6 | 2026-04-14 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at… |
CVE-2026-31939 | High | 8.3 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. Us… |
CVE-2025-52482 | High | 8.3 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teac… |
CVE-2025-59541 | High | 8.1 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects insi… |
CVE-2026-31941 | High | 7.7 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the So… |
CVE-2026-33710 | High | 7.5 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)… |