Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026
Chamilo: HTML injection via open parameter
CVE-2025-52564
Description
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.
Affected products
1- Range: < 1.11.30
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/commit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7bmitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/releases/tag/v1.11.30mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/security/advisories/GHSA-6fmm-qrx4-wgqcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.