CVE-2025-50186

MEDIUM

Chamilo <1.11.30 - Stored XSS

Title source: llm

Description

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., <img src=q onerror=prompt(8)>.csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30.

References (3)

Scores

CVSS v3 4.8
EPSS 0.0004
EPSS Percentile 11.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Classification

CWE
CWE-79
Status published

Affected Products (1)

chamilo/chamilo_lms < 1.11.30

Timeline

Published Mar 02, 2026
Tracked Since Mar 02, 2026