VYPR

Chamilo Lms

by Chamilo

Source repositories

CVEs (145)

  • CVE-2021-34187Jun 28, 2021
    risk 0.01cvss epss 0.16

    main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.

  • CVE-2025-66447NonApr 10, 2026
    risk 0.00cvss 0.0epss 0.00

    Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.

  • CVE-2026-30882Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any…

  • CVE-2026-30881Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Version 1.11.34 and prior contains a SQL Injection vulnerability in the statistics AJAX endpoint. The parameters date_start and date_end from $_REQUEST are embedded directly into a raw SQL string without proper sanitization. Although…

  • CVE-2026-30876Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.

  • CVE-2026-30875Mar 16, 2026
    risk 0.00cvss epss 0.01

    Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists…

  • CVE-2026-28430Mar 16, 2026
    risk 0.00cvss epss 0.00

    Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password…

  • CVE-2026-29041Mar 6, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads…

  • CVE-2025-59544Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id"…

  • CVE-2025-59543Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary…

  • CVE-2025-59542Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute…

  • CVE-2025-59541Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not…

  • CVE-2025-59540Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the…

  • CVE-2025-55289Mar 6, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an…

  • CVE-2025-55208Mar 5, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34…

  • CVE-2025-52564Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.

  • CVE-2025-52998Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the…

  • CVE-2025-50199Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, there is a blind SSRF vulnerability in /index.php via the POST openid_url parameter. This issue has been patched in version 1.11.30.

  • CVE-2025-52563Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. This issue has been patched in version…

  • CVE-2025-52475Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript…

Page 3 of 8