Chamilo Chamilo_lms

122 CVEs affecting Chamilo Chamilo_lms. Latest disclosed: 2026-04-14. Critical: 17, High: 51.

Top CVEs affecting Chamilo Chamilo_lms
CVESeverityScorePublishedSummary
CVE-2026-33698Critical9.82026-04-10Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allo…
CVE-2026-28430Critical9.82026-03-16Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to…
CVE-2025-52998Critical9.82026-03-02Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attack…
CVE-2025-50192Critical9.82026-03-02Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. Thi…
CVE-2025-50190Critical9.82026-03-02Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /in…
CVE-2025-50187Critical9.82026-03-02Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execut…
CVE-2023-34944Critical9.82023-06-13An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via upl…
CVE-2022-27423Critical9.82022-04-15Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
CVE-2021-35414Critical9.82021-12-03Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVE-2019-13082Critical9.82019-06-30Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking…
CVE-2018-1999019Critical9.82018-07-23Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can…
CVE-2026-33707Critical9.42026-04-10Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no…
CVE-2026-32892Critical9.12026-04-10Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move funct…
CVE-2025-50199Critical9.12026-03-02Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openid_url parameter. This is…
CVE-2025-59543Critical9.02026-03-06Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip…
CVE-2025-59542Critical9.02026-03-06Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScrip…
CVE-2025-55208Critical9.02026-03-05Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-priv…
CVE-2026-40291High8.82026-04-14Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api…
CVE-2026-35196High8.82026-04-14Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gr…
CVE-2026-33618High8.82026-04-10Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse pl…