Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Chamilo learning management system project deletion without consent
CVE-2025-59541
Summary
A security issue in older versions of Chamilo's learning management system allows an attacker to delete projects without the course owner's permission. This could happen if a legitimate user is tricked into visiting a malicious website. To fix this, update to version 1.11.34 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| chamilo | chamilo_lms | <= 1.11.34 | – |
Original title
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s conse...
Original description
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.
nvd CVSS3.1
8.1
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026