8.8
CVE-2026-29041 - Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequatโฆ
6.9
CVE-2025-59544 - Chamilo: Unauthorized access to update category of any user
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issueโฆ
9.1
CVE-2025-59543 - Chamilo: Account Takeover via Stored XSS in Course Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the โฆ
9.1
CVE-2025-59542 - Chamilo: Account Takeover via Stored XSS in Course Learning Paths
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript cโฆ
8.1
CVE-2025-59541 - Chamilo: CSRF Vulnerability in Project Deletion
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victimโs consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF proโฆ
6.4
CVE-2025-59540 - Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is noโฆ
8.8
CVE-2025-55289 - Chamilo: Stored Cross Site Scripting in Skills Argumentation
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platformโs social network and internal messaging features. When viewed by an authenticated user (includiโฆ
9.8
CVE-2026-28501 - WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php
WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injection vulnerability exists in AVideo within the objects/videos.json.php and objects/video.php components. The application fails to properly sanitize the catName parameter when it is supplied via a JSON-fโฆ
9.3
CVE-2026-28502 - WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction
WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Execution (RCE) vulnerability was identified in AVideo related to the plugin upload/import functionality. The issue allowed an authenticated administrator to upload a specially crafted ZIP archive contโฆ
8.1
CVE-2026-29093 - WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port
WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while the Dockerfile configures PHP to store all user sessions in that memcached instance. An attacker who โฆ