VYPR

Chamilo Lms

by Chamilo

Source repositories

CVEs (145)

  • CVE-2025-52476Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. This issue has been patched in version 1.11.30.

  • CVE-2025-52470Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to…

  • CVE-2025-52469Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can…

  • CVE-2025-52468Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username"…

  • CVE-2025-50198Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. This issue has been patched in version…

  • CVE-2025-50197Mar 2, 2026
    risk 0.00cvss epss 0.03

    Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30.

  • CVE-2025-50196Mar 2, 2026
    risk 0.00cvss epss 0.03

    Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. This issue has been patched in version 1.11.30.

  • CVE-2025-50195Mar 2, 2026
    risk 0.00cvss epss 0.03

    Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30.

  • CVE-2025-50194Mar 2, 2026
    risk 0.00cvss epss 0.03

    Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.30.

  • CVE-2025-50193Mar 2, 2026
    risk 0.00cvss epss 0.03

    Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30.

  • CVE-2025-50192Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30.

  • CVE-2025-50191Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.

  • CVE-2025-50190Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.

  • CVE-2025-50189Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.p…

  • CVE-2025-50188Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php,…

  • CVE-2025-52482Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.

  • CVE-2025-50187Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.

  • CVE-2025-50186Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., .csv) that leads…

  • CVE-2024-50337Mar 2, 2026
    risk 0.00cvss epss 0.00

    Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.

  • CVE-2024-47886Mar 2, 2026
    risk 0.00cvss epss 0.01

    Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the…

Page 4 of 8