Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

chamilo — Vulnerabilities & Security Advisories 83

Browse all 83 CVE security advisories affecting chamilo. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Chamilo is an open-source learning management system designed for educational institutions and corporate training environments, facilitating online course delivery and student management. Security audits reveal a significant history of vulnerabilities, with eighty-three Common Vulnerabilities and Exposures (CVEs) currently documented. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and weak access controls in older versions. Notable incidents include arbitrary file upload vulnerabilities that allowed attackers to execute malicious scripts on the server, compromising system integrity. The platform’s reliance on legacy PHP frameworks has contributed to these recurring security issues, necessitating rigorous patching and configuration hardening. While newer iterations have improved security postures, the extensive CVE record highlights the critical need for continuous monitoring and secure coding practices to mitigate risks associated with its widespread deployment in academic settings.

Top products by chamilo: chamilo-lms Chamilo LMS Chamillo LMS
CVE IDTitleCVSSSeverityPublished
CVE-2026-40291 Chamilo LMS has Privilege Escalation via API User Role Modification — chamilo-lmsCWE-269 8.8 High2026-04-14
CVE-2026-35196 Chamilo LMS has OS Command Injection via export_all_certificates action — chamilo-lmsCWE-78 8.8 High2026-04-14
CVE-2026-34602 Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses — chamilo-lmsCWE-639 7.1 High2026-04-14
CVE-2026-34370 Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes — chamilo-lmsCWE-285 6.5 Medium2026-04-14
CVE-2026-34161 Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution — chamilo-lmsCWE-79 5.4 -2026-04-14
CVE-2026-34160 Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services — chamilo-lmsCWE-306 8.6 High2026-04-14
CVE-2026-33715 Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action — chamilo-lmsCWE-306 7.2 High2026-04-14
CVE-2026-33714 Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2) — chamilo-lmsCWE-89 8.8 -2026-04-14
CVE-2026-33737 Chamilo LMS has an XML External Entity (XXE) Injection — chamilo-lmsCWE-611 5.3 Medium2026-04-10
CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure — chamilo-lmsCWE-639 6.5 Medium2026-04-10
CVE-2026-33710 Chamilo LMS has Weak REST API Key Generation (Predictable) — chamilo-lmsCWE-330 7.5 High2026-04-10
CVE-2026-33708 Chamilo LMS has REST API PII Exposure via get_user_info_from_username — chamilo-lmsCWE-862 6.5 Medium2026-04-10
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms — chamilo-lmsCWE-640 9.4 Critical2026-04-10
CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher) — chamilo-lmsCWE-269 7.1 High2026-04-10
CVE-2026-33705 Chamilo LMS has unauthenticated access to Twig template source files exposes application logic — chamilo-lmsCWE-538 5.3 Medium2026-04-10
CVE-2026-33704 Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint — chamilo-lmsCWE-434 7.1 High2026-04-10
CVE-2026-33703 Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens — chamilo-lmsCWE-639 8.1 -2026-04-10
CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR) — chamilo-lmsCWE-639 7.1 High2026-04-10
CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder — chamilo-lmsCWE-552 9.8 -2026-04-10
CVE-2026-33618 Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings — chamilo-lmsCWE-95 8.8 High2026-04-10
CVE-2026-33141 Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data — chamilo-lmsCWE-639 6.5 Medium2026-04-10
CVE-2026-32892 OS Command Injection in Chamilo LMS 1.11.36 — chamilo-lmsCWE-78 9.1 Critical2026-04-10
CVE-2026-32932 Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit — chamilo-lmsCWE-601 4.7 Medium2026-04-10
CVE-2026-32931 Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE — chamilo-lmsCWE-434 7.5 High2026-04-10
CVE-2026-32930 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check — chamilo-lmsCWE-639 7.1 High2026-04-10
CVE-2026-32894 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result — chamilo-lmsCWE-476 7.1 High2026-04-10
CVE-2026-32893 Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination — chamilo-lmsCWE-79 5.4 Medium2026-04-10
CVE-2026-31941 Server-Side Request Forgery (SSRF) in Chamilo LMS — chamilo-lmsCWE-918 7.7 High2026-04-10
CVE-2026-31940 Session Fixation in Chamilo LMS — chamilo-lmsCWE-384 7.5 High2026-04-10
CVE-2026-31939 Path Traversal (Arbitrary File Delete) in Chamilo LMS — chamilo-lmsCWE-22 8.3 High2026-04-10

This page lists every published CVE security advisory associated with chamilo. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.