Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 6, 2026

Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback

CVE-2025-59540

Description

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicious scripts to persist in the database and execute on view. This issue has been patched in version 1.11.34.

Affected products

Chamilo/Chamilo Lmsv5
Range: < 1.11.34

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/chamilo/chamilo-lms/releases/tag/v1.11.34mitrex_refsource_MISC
github.com/chamilo/chamilo-lms/security/advisories/GHSA-59h4-34mx-m67mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000