CVE-2025-55208
CRITICALChamilo LMS < 1.11.34 - Stored Cross-Site Scripting via Social Networks File Upload
Title source: llmDescription
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-2vq2-826h-6hp6
Scores
CVSS v3
9.0
EPSS
0.0031
EPSS Percentile
22.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
chamilo/chamilo_lms
< 1.11.34
Published
Mar 05, 2026
Tracked Since
Mar 06, 2026