Chamilo-lms
This hub aggregates every CVE we track for Chamilo-lms, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
66
CVEs tracked
12
Critical
34
High
0
In CISA KEV
Severity distribution
HIGH34MEDIUM20CRITICAL12
Monthly trend
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
36
30
0
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Chamilo-lms.
- CVE-2026-40291Chamilo LMS has Privilege Escalation via API User Role Modification8.8
- CVE-2026-35196Chamilo LMS has OS Command Injection via export_all_certificates action8.8
- CVE-2026-34602Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses7.1
- CVE-2026-34370Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes6.5
- CVE-2026-34161Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution5.4
- CVE-2026-34160Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services8.6
- CVE-2026-33715Chamilo LMS has Unauthenticated SSRF and Open Email Relay via install.ajax.php test_mailer action7.2
- CVE-2026-33714Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)7.2
- CVE-2026-33737Chamilo LMS has an XML External Entity (XXE) Injection5.3
- CVE-2026-33736Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure6.5
- CVE-2026-33710Chamilo LMS has Weak REST API Key Generation (Predictable)7.5
- CVE-2026-33708Chamilo LMS has REST API PII Exposure via get_user_info_from_username6.5
- CVE-2026-33707Weak Password Recovery Mechanism for Forgotten Password in chamilo/chamilo-lms9.4
- CVE-2026-33706Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)7.1
- CVE-2026-33705Chamilo LMS has unauthenticated access to Twig template source files exposes application logic5.3
Product normalization is registry-driven with AI assist and human review. How it works