CVE-2025-52998

CRITICAL

Chamilo <1.11.30 - Deserialization

Title source: llm

Description

Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.11.30.

References (3)

[Vendor Advisory] https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6mwg-2mw5-rx5v

[Patch] https://github.com/chamilo/chamilo-lms/commit/ba7e15d8cfefcd451de939e98d461b17e72eb627

View Patch ZIP pw:eip

[Release Notes] https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30

Scores

CVSS v3 9.8

EPSS 0.0022

EPSS Percentile 44.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-502

Status published

Products (1)

chamilo/chamilo_lms < 1.11.30

Published Mar 02, 2026

Tracked Since Mar 02, 2026