Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026
Chamilo: HTML injection via open parameter
CVE-2025-52564
Description
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.
Affected products
2<1.11.30+ 1 more
- (no CPE)range: <1.11.30
- (no CPE)range: < 1.11.30
Patches
Vulnerability mechanics
References
4- github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/commit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7bmitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/releases/tag/v1.11.30mitrex_refsource_MISC
- github.com/chamilo/chamilo-lms/security/advisories/GHSA-6fmm-qrx4-wgqcmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.