Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026
Chamilo: Stored XSS via Malicious CSV Filename in user_import.php
CVE-2025-50186
Description
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., .csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30.
Affected products
2<=1.11.29+ 1 more
- (no CPE)range: <=1.11.29
- (no CPE)range: < 1.11.30
Patches
Vulnerability mechanics
References
3- github.com/chamilo/chamilo-lms/commit/9fef8f30b41d586cb4f4fc823906c16a12ae0ff4mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/releases/tag/v1.11.30mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/security/advisories/GHSA-wrx6-5v5r-mmgxmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.