Chamilo Lms
by Chamilo
Source repositories
CVEs (145)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32894 | Hig | 0.39 | 7.1 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by… | ||
| CVE-2026-34370 | Med | 0.35 | 6.5 | 0.00 | Apr 14, 2026 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the… | ||
| CVE-2026-33736 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is… | ||
| CVE-2026-33708 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no… | ||
| CVE-2026-33703 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by… | ||
| CVE-2026-33141 | Med | 0.35 | 6.5 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress,… | ||
| CVE-2026-1106 | Med | 0.35 | 5.4 | 0.00 | Jan 18, 2026 | A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in… | ||
| CVE-2025-29529 | Med | 0.35 | 6.5 | 0.00 | Apr 24, 2025 | ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx. | ||
| CVE-2026-34161 | Med | 0.28 | 5.4 | 0.00 | Apr 14, 2026 | Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing… | ||
| CVE-2026-32893 | Med | 0.28 | 5.4 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges… | ||
| CVE-2025-26153 | Med | 0.28 | 5.4 | 0.00 | Apr 16, 2025 | A Stored XSS vulnerability exists in the message compose feature of Chamilo LMS 1.11.28. Attackers can inject malicious scripts into messages, which execute when victims, such as administrators, reply to the message. | ||
| CVE-2026-33737 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | ||
| CVE-2026-33705 | Med | 0.27 | 5.3 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs,… | ||
| CVE-2026-32932 | Med | 0.24 | 4.7 | 0.00 | Apr 10, 2026 | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The… | ||
| CVE-2023-34960 | 0.11 | — | 0.99 | Aug 1, 2023 | A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. | |||
| CVE-2023-4220 | 0.09 | — | 0.76 | Nov 28, 2023 | Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web… | |||
| CVE-2023-3368 | 0.06 | — | 0.69 | Nov 28, 2023 | Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960. | |||
| CVE-2021-31933 | 0.04 | — | 0.14 | Apr 30, 2021 | A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to… | |||
| CVE-2021-37391 | 0.03 | — | 0.02 | Aug 10, 2021 | A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS… | |||
| CVE-2013-6787 | 0.03 | — | 0.03 | Dec 5, 2013 | SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL commands via the "password0"… |
- risk 0.39cvss 7.1epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by…
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the…
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is…
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no…
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by…
- risk 0.35cvss 6.5epss 0.00
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress,…
- risk 0.35cvss 5.4epss 0.00
A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in…
- risk 0.35cvss 6.5epss 0.00
ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx.
- risk 0.28cvss 5.4epss 0.00
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing…
- risk 0.28cvss 5.4epss 0.00
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges…
- risk 0.28cvss 5.4epss 0.00
A Stored XSS vulnerability exists in the message compose feature of Chamilo LMS 1.11.28. Attackers can inject malicious scripts into messages, which execute when victims, such as administrators, reply to the message.
- risk 0.27cvss 5.3epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
- risk 0.27cvss 5.3epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs,…
- risk 0.24cvss 4.7epss 0.00
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The…
- CVE-2023-34960Aug 1, 2023risk 0.11cvss —epss 0.99
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
- CVE-2023-4220Nov 28, 2023risk 0.09cvss —epss 0.76
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web…
- CVE-2023-3368Nov 28, 2023risk 0.06cvss —epss 0.69
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
- CVE-2021-31933Apr 30, 2021risk 0.04cvss —epss 0.14
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to…
- CVE-2021-37391Aug 10, 2021risk 0.03cvss —epss 0.02
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS…
- CVE-2013-6787Dec 5, 2013risk 0.03cvss —epss 0.03
SQL injection vulnerability in the check_user_password function in main/auth/profile.php in Chamilo LMS 1.9.6 and earlier, when using the non-encrypted passwords mode set at installation, allows remote authenticated users to execute arbitrary SQL commands via the "password0"…
Page 2 of 8