Lucene search
K

57 matches found

CVE
CVE
added 2026/04/10 5:32 p.m.12 views

CVE-2026-31939

Chamilo LMS prior to 1.11.38 is affected by a path traversal vulnerability in main/exercise/savescores.php that allows arbitrary file deletion via user input from $_REQUEST['test'], concatenated into a filesystem path without canonicalization or traversal checks. The issue is fixed in version 1.1...

8.3CVSS5.9AI score0.0035EPSS
Web
CVE
CVE
added 2026/04/10 6:54 p.m.12 views

CVE-2026-33708

Chamilo LMS exposes PII via the get_user_info_from_username REST endpoint before version 1.11.38. Any authenticated user (including students) can retrieve another user’s email, first name, last name, user ID, and active status due to missing authorization checks. This has been fixed in 1.11.38. R...

6.5CVSS5.8AI score0.00209EPSS
CVE
CVE
added 2026/03/02 2:53 p.m.11 views

CVE-2025-50190

CVE-2025-50190 affects Chamilo LMS (pre-1.11.30) via an error-based SQL injection in the index.php script, triggered by the GET parameter openid.assoc_handle. Public sources confirm vulnerable versions prior to 1.11.30 and indicate a patch in 1.11.30. Connected reports (CNVD/CIRCL/NVD/OSV, etc.) ...

9.8CVSS5.9AI score0.00587EPSS
CVE
CVE
added 2026/03/02 3:49 p.m.11 views

CVE-2025-52475

CVE-2025-52475 affects Chamilo LMS before 1.11.30. A reflected XSS exists in the admin/user_list.php endpoint where the keyword_inactive parameter is not properly sanitized, allowing an attacker to inject JavaScript via a crafted URL. The issue is patched in version 1.11.30. No exploitation detai...

6.1CVSS5.7AI score0.00187EPSS
Web
CVE
CVE
added 2026/04/10 6:32 p.m.11 views

CVE-2026-33705

CVE-2026-33705 affects Chamilo LMS. Prior to 1.11.38, Twig template files under /main/template/default/ were accessible without authentication via HTTP GET, exposing internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. The issue is fixed in 1.11.38. Reported ...

5.3CVSS5.8AI score0.00245EPSS
CVE
CVE
added 2026/03/02 2:39 p.m.10 views

CVE-2025-52482

CVE-2025-52482 affects Chamilo LMS prior to version 1.11.30, with a stored XSS vulnerability in the glossary function. The issue allows users with the Teachers role to inject JavaScript against the administrator via the glossary/trigger paths (e.g., /main/glossary/index.php and related tracking r...

8.3CVSS5.9AI score0.00373EPSS
CVE
CVE
added 2026/03/16 7:18 p.m.9 views

CVE-2026-30876

Chamilo LMS before version 1.11.36 is vulnerable to user enumeration via login response (valid vs invalid usernames). The issue has been fixed in 1.11.36. CVSS‑4.0 metrics indicate Network attack vector, Low confidentiality impact, and a Medium overall severity (6.3).

6.3CVSS5.7AI score0.00205EPSS
Total number of security vulnerabilities57