Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

chamilo-lms — Vulnerabilities & Security Advisories 69

All 69 CVE vulnerabilities found in chamilo-lms, with AI-generated Chinese analysis, references, and POCs.

Vendor: chamilo

CVE IDTitleCVSSSeverityPublished
CVE-2026-40291 Chamilo LMS has Privilege Escalation via API User Role Modification CWE-269 8.8 High2026-04-14
CVE-2026-35196 Chamilo LMS has OS Command Injection via export_all_certificates action CWE-78 8.8 High2026-04-14
CVE-2026-34602 Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses CWE-639 7.1 High2026-04-14
CVE-2026-34370 Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes CWE-285 6.5 Medium2026-04-14
CVE-2026-34161 Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution CWE-79 5.4 -2026-04-14
CVE-2026-34160 Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services CWE-306 8.6 High2026-04-14
CVE-2026-33715 Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action CWE-306 7.2 High2026-04-14
CVE-2026-33714 Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2) CWE-89 8.8 -2026-04-14
CVE-2026-33737 Chamilo LMS has an XML External Entity (XXE) Injection CWE-611 5.3 Medium2026-04-10
CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure CWE-639 6.5 Medium2026-04-10
CVE-2026-33710 Chamilo LMS has Weak REST API Key Generation (Predictable) CWE-330 7.5 High2026-04-10
CVE-2026-33708 Chamilo LMS has REST API PII Exposure via get_user_info_from_username CWE-862 6.5 Medium2026-04-10
CVE-2026-33707 Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms CWE-640 9.4 Critical2026-04-10
CVE-2026-33706 Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher) CWE-269 7.1 High2026-04-10
CVE-2026-33705 Chamilo LMS has unauthenticated access to Twig template source files exposes application logic CWE-538 5.3 Medium2026-04-10
CVE-2026-33704 Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint CWE-434 7.1 High2026-04-10
CVE-2026-33703 Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens CWE-639 8.1 -2026-04-10
CVE-2026-33702 Chamilo LMS has an Insecure Direct Object Reference (IDOR) CWE-639 7.1 High2026-04-10
CVE-2026-33698 Chamilo LMS affected by unauthenticated RCE in main/install folder CWE-552 9.8 -2026-04-10
CVE-2026-33618 Chamilo LMS Affected by Remote Code Execution via eval() in Platform Settings CWE-95 8.8 High2026-04-10
CVE-2026-33141 Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data CWE-639 6.5 Medium2026-04-10
CVE-2026-32892 OS Command Injection in Chamilo LMS 1.11.36 CWE-78 9.1 Critical2026-04-10
CVE-2026-32932 Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit CWE-601 4.7 Medium2026-04-10
CVE-2026-32931 Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE CWE-434 7.5 High2026-04-10
CVE-2026-32930 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check CWE-639 7.1 High2026-04-10
CVE-2026-32894 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result CWE-476 7.1 High2026-04-10
CVE-2026-32893 Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination CWE-79 5.4 Medium2026-04-10
CVE-2026-31941 Server-Side Request Forgery (SSRF) in Chamilo LMS CWE-918 7.7 High2026-04-10
CVE-2026-31940 Session Fixation in Chamilo LMS CWE-384 7.5 High2026-04-10
CVE-2026-31939 Path Traversal (Arbitrary File Delete) in Chamilo LMS CWE-22 8.3 High2026-04-10

All 69 known CVE vulnerabilities affecting chamilo-lms with full Chinese analysis, references, and POCs where available.