Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.0
Chamilo Learning Management System: Admin Account Takeover via Malicious File Uploads
CVE-2025-55208
Summary
If you're using an outdated version of Chamilo, a malicious file upload could allow an attacker to take control of your admin account. This is because Chamilo's social network feature doesn't properly check uploaded files for safety. To protect your system, update to version 1.11.34 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| chamilo | chamilo_lms | <= 1.11.34 | – |
Original title
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code ...
Original description
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in `Social Networks`. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue.
nvd CVSS3.1
9.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026