9 matches found
CVE-2026-33141 Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the REST API stats endpoint allows any authenticated user including low-privilege students with ROLEUSER to read any other user's learning progress, certificates, and...
CVE-2026-29041
Chamilo LMS is affected prior to version 1.11.34 by an authenticated remote code execution flaw due to inadequate validation of uploaded files. The system relies on MIME-type checks and does not properly validate file extensions or enforce safe storage, allowing an authenticated low-privileged us...
CVE-2025-55208
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...
CVE-2025-52482 Chamilo: Stored XSS in glossary function via /main/glossary/index.php trigger in /main/tracking/course_log_resources.php
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30...
PT-2026-22587
Name of the Vulnerable Software and Affected Versions Chamilo versions 1.11.12 through 1.11.26 Description Chamilo is a learning management system affected by a post-authentication PHP unserialize issue that can lead to remote code execution RCE. The vulnerability allows an administrator to execu...
CVE-2023-34961
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting XSS vulnerability via the /feedback/comment field...
CVE-2022-40407
A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file...
Exploit for Unrestricted Upload of File with Dangerous Type in Chamilo Chamilo_Lms
Chamilo LMS CVE-2023-4220 Exploit Overview This script ex...
CVE-2023-37064
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section...