chamilo — Vulnerabilities & Security Advisories 83

Browse all 83 CVE security advisories affecting chamilo. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Chamilo is an open-source learning management system designed for educational institutions and corporate training environments, facilitating online course delivery and student management. Security audits reveal a significant history of vulnerabilities, with eighty-three Common Vulnerabilities and Exposures (CVEs) currently documented. These flaws predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and weak access controls in older versions. Notable incidents include arbitrary file upload vulnerabilities that allowed attackers to execute malicious scripts on the server, compromising system integrity. The platform’s reliance on legacy PHP frameworks has contributed to these recurring security issues, necessitating rigorous patching and configuration hardening. While newer iterations have improved security postures, the extensive CVE record highlights the critical need for continuous monitoring and secure coding practices to mitigate risks associated with its widespread deployment in academic settings.

Top products by chamilo: chamilo-lms Chamilo LMS Chamillo LMS

CVE ID	Title	CVSS	Severity	Published
CVE-2025-66447	Chamilo LMS has validation-less redirect on login page — chamilo-lmsCWE-601	-	-	2026-04-10
CVE-2026-30882	Chamilo LMS: Reflected XSS in the session category listing page — chamilo-lmsCWE-79	6.1	Medium	2026-03-16
CVE-2026-30881	Chamilo LMS: SQL Injection in the statistics AJAX endpoint — chamilo-lmsCWE-89	8.8	High	2026-03-16
CVE-2026-30876	Chamilo LMS: User enumeration vulnerability via response — chamilo-lmsCWE-204	5.3^AI	Medium^AI	2026-03-16
CVE-2026-30875	Chamilo LMS: Authenticated RCE via H5P Import — chamilo-lmsCWE-94	8.8	High	2026-03-16
CVE-2026-28430	Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php — chamilo-lmsCWE-89	9.8^AI	Critical^AI	2026-03-16
CVE-2026-29041	Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload — chamilo-lmsCWE-434	8.8	High	2026-03-06
CVE-2025-59544	Chamilo: Unauthorized access to update category of any user — chamilo-lmsCWE-862	4.3	-	2026-03-06
CVE-2025-59543	Chamilo: Account Takeover via Stored XSS in Course Description — chamilo-lmsCWE-79	9.1	Critical	2026-03-06
CVE-2025-59542	Chamilo: Account Takeover via Stored XSS in Course Learning Paths — chamilo-lmsCWE-79	9.1	Critical	2026-03-06
CVE-2025-59541	Chamilo: CSRF Vulnerability in Project Deletion — chamilo-lmsCWE-352	8.1	High	2026-03-06
CVE-2025-59540	Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback — chamilo-lmsCWE-80	4.8	-	2026-03-06
CVE-2025-55289	Chamilo: Stored Cross Site Scripting in Skills Argumentation — chamilo-lmsCWE-79	8.8	High	2026-03-06
CVE-2025-55208	Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files — chamilo-lmsCWE-79	9.1	Critical	2026-03-05
CVE-2025-52564	Chamilo: HTML injection via open parameter — chamilo-lmsCWE-80	6.1^AI	Medium^AI	2026-03-02
CVE-2025-52998	Chamilo: PHAR deserialization bypass — chamilo-lmsCWE-502	8.1^AI	High^AI	2026-03-02
CVE-2025-50199	Chamilo: Blind Server-Side Request Forgery (Unauth Blind SSRF) — chamilo-lmsCWE-918	9.1^AI	Critical^AI	2026-03-02
CVE-2025-52563	Chamilo: Reflected XSS via page parameter — chamilo-lmsCWE-79	6.1^AI	Medium^AI	2026-03-02
CVE-2025-52475	Chamilo: Reflected XSS via keyword_inactive parameter — chamilo-lmsCWE-79	6.1^AI	Medium^AI	2026-03-02
CVE-2025-52476	Chamilo: Reflected XSS via keyword_active parameter — chamilo-lmsCWE-79	6.1^AI	Medium^AI	2026-03-02
CVE-2025-52470	Chamilo: Stored Cross-Site Scripting (XSS) via Session Category Name — chamilo-lmsCWE-79	4.8	Medium	2026-03-02
CVE-2025-52469	Chamilo: Friend Request Workflow Bypass - Unauthorized Friend Addition and ID Validation Bypass — chamilo-lmsCWE-841	7.1	High	2026-03-02
CVE-2025-52468	Chamilo: Stored XSS Vulnerability via CSV User Import — chamilo-lmsCWE-79	8.8	High	2026-03-02
CVE-2025-50198	Chamilo: Deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters — chamilo-lmsCWE-502	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50197	Chamilo: OS Command Injection in /main/admin/sub_language_ajax.inc.php via POST new_language parameter — chamilo-lmsCWE-78	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50196	Chamilo: OS Command Injection in /plugin/vchamilo/views/editinstance.php via POST main_database parameter — chamilo-lmsCWE-78	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50195	Chamilo: OS Command Injection in /plugin/vchamilo/views/manage.controller.php — chamilo-lmsCWE-78	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50194	Chamilo: OS Command Injection in /main/cron/lang/check_parse_lang.php — chamilo-lmsCWE-78	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50193	Chamilo: OS command Injection in /plugin/vchamilo/views/import.php with the POST to_main_database parameter — chamilo-lmsCWE-78	9.8^AI	Critical^AI	2026-03-02
CVE-2025-50192	Chamilo: Time-based SQL Injection in /main/webservices/registration.soap.php — chamilo-lmsCWE-89	9.8^AI	Critical^AI	2026-03-02

This page lists every published CVE security advisory associated with chamilo. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

chamilo — Vulnerabilities & Security Advisories 83