Angel Fernando Quiroz Campos - Security Researcher

CVE-2026-32931 WRITEUP HIGH WRITEUP

Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 7.5

View Code

CVE-2026-32932 WRITEUP MEDIUM WRITEUP

Chamilo LMS Session Course Edit page - Open Redirect

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 4.7

View Code

CVE-2026-33141 WRITEUP MEDIUM WRITEUP

Chamilo LMS REST API Stats - Insecure Direct Object Reference

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.

CVSS 6.5

View Code

CVE-2026-33706 WRITEUP HIGH WRITEUP

Chamilo LMS REST API - Student-to-Teacher Privilege Escalation

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.

CVSS 7.1

View Code

CVE-2026-33708 WRITEUP MEDIUM WRITEUP

Chamilo LMS has REST API PII Exposure via get_user_info_from_username

Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

CVSS 6.5

View Code

CVE-2026-33710 WRITEUP HIGH WRITEUP

Chamilo LMS has Weak REST API Key Generation (Predictable)

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 7.5

View Code

CVE-2026-33736 WRITEUP MEDIUM WRITEUP

Chamilo LMS API Users - Insecure Direct Object Reference

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.

CVSS 6.5

View Code

CVE-2026-33737 WRITEUP MEDIUM WRITEUP

Chamilo LMS XML Parsing - XML External Entity Injection

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 5.3

View Code

CVE-2026-31939 WRITEUP HIGH WRITEUP

Path Traversal (Arbitrary File Delete) in Chamilo LMS

Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.

CVSS 8.3

View Code

CVE-2026-31940 WRITEUP HIGH WRITEUP

Session Fixation in Chamilo LMS

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 7.5

View Code

CVE-2026-31941 WRITEUP HIGH WRITEUP

Server-Side Request Forgery (SSRF) in Chamilo LMS

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 7.7

View Code

CVE-2026-32893 WRITEUP MEDIUM WRITEUP

Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.

CVSS 5.4

View Code

CVE-2026-32894 WRITEUP HIGH WRITEUP

Chamilo LMS Gradebook Results - Insecure Direct Object Reference

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS 7.1

View Code

CVE-2024-50337 WRITEUP MEDIUM WRITEUP

Chamilo LMS < 1.11.28 - Unauthenticated Server-Side Request Forgery via OpenId Function

Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.

CVSS 5.3

View Code

CVE-2025-50186 WRITEUP MEDIUM WRITEUP

Chamilo LMS < 1.11.30 - Stored Cross-Site Scripting via CSV Filename

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., <img src=q onerror=prompt(8)>.csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30.

CVSS 4.8

View Code

CVE-2025-50188 WRITEUP HIGH WRITEUP

Chamilo LMS < 1.11.30 - SQL Injection via GET Value Parameter

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

CVSS 7.2

View Code

CVE-2025-50189 WRITEUP HIGH WRITEUP

Chamilo LMS < 1.11.30 - SQL Injection via POST resource[document] Parameter

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

CVSS 8.8

View Code

CVE-2025-50190 WRITEUP CRITICAL WRITEUP

Chamilo < 1.11.30 - SQL Injection via GET openid.assoc_handle Parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.

CVSS 9.8

View Code

CVE-2025-50191 WRITEUP HIGH WRITEUP

Chamilo < 1.11.30 - SQL Injection via POST userFile in hotpotatoes.php

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. This issue has been patched in version 1.11.30.

CVSS 7.2

View Code

CVE-2025-50192 WRITEUP CRITICAL WRITEUP

Chamilo < 1.11.30 - Time-Based SQL Injection via Registration SOAP Endpoint

Chamilo is a learning management system. Prior to version 1.11.30, there is a time-based SQL Injection in found in /main/webservices/registration.soap.php. This issue has been patched in version 1.11.30.

CVSS 9.8

View Code

CVE-2025-50193 WRITEUP HIGH WRITEUP