How to fix CVE-2025-50188?

Within 24 hours: Identify all Chamilo instances in your environment and assess exposure scope; contact your Chamilo support provider for patch availability and timeline. Within 7 days: Apply available vendor patch to all Chamilo systems, starting with production environments; conduct post-patch verification testing. Within 30 days: Complete patching across all development, staging, and backup systems; document patch deployment records and validate vulnerability remediation through scanning.

Is PHP affected by CVE-2025-50188?

Chamilo LMS installations are vulnerable to a HIGH severity exploitation risk (CVE-2025-50188, CVSS 7.2) with public exploits available, potentially enabling unauthorized access to educational content, student records, and system compromise.

CVE-2025-50188

HIGH

2026-03-02 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 19:12 vuln.today

Public exploit code

Patch Released

Mar 03, 2026 - 19:12 nvd

Patch available

CVE Published

Mar 02, 2026 - 15:16 nvd

HIGH 7.2

Description

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

Analysis

Chamilo is a learning management system. [CVSS 7.2 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

Affected Products

Vendor: Chamilo. Product: Chamilo Lms. Versions: up to 1.11.30.

Remediation

A vendor patch is available — apply it immediately. Fixed in version 1.11.30.. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

CVE-2025-50188 vulnerability details – vuln.today

Back

CVE-2025-50188

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-50188

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code