Chamilo Chamilo_lms
122 CVEs affecting Chamilo Chamilo_lms. Latest disclosed: 2026-04-14. Critical: 17, High: 51.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33698 | Critical | 9.8 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allo… |
CVE-2026-28430 | Critical | 9.8 | 2026-03-16 | Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to… |
CVE-2025-52998 | Critical | 9.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attack… |
CVE-2025-50192 | Critical | 9.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. Thi… |
CVE-2025-50190 | Critical | 9.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /in… |
CVE-2025-50187 | Critical | 9.8 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execut… |
CVE-2023-34944 | Critical | 9.8 | 2023-06-13 | An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via upl… |
CVE-2022-27423 | Critical | 9.8 | 2022-04-15 | Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php. |
CVE-2021-35414 | Critical | 9.8 | 2021-12-03 | Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. |
CVE-2019-13082 | Critical | 9.8 | 2019-06-30 | Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking… |
CVE-2018-1999019 | Critical | 9.8 | 2018-07-23 | Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can… |
CVE-2026-33707 | Critical | 9.4 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no… |
CVE-2026-32892 | Critical | 9.1 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move funct… |
CVE-2025-50199 | Critical | 9.1 | 2026-03-02 | Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openid_url parameter. This is… |
CVE-2025-59543 | Critical | 9.0 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip… |
CVE-2025-59542 | Critical | 9.0 | 2026-03-06 | Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip… |
CVE-2025-55208 | Critical | 9.0 | 2026-03-05 | Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-priv… |
CVE-2026-40291 | High | 8.8 | 2026-04-14 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api… |
CVE-2026-35196 | High | 8.8 | 2026-04-14 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gr… |
CVE-2026-33618 | High | 8.8 | 2026-04-10 | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse pl… |