What is the CVSS score of CVE-2025-50188?

CVE-2025-50188 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-50188?

Chamilo LMS installations are vulnerable to a HIGH severity exploitation risk (CVE-2025-50188, CVSS 7.2) with public exploits available, potentially enabling unauthorized access to educational…. A patch is available.

Is there a public PoC exploit available for CVE-2025-50188?

Yes, a public proof-of-concept exploit is available for CVE-2025-50188. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-50188?

Within 24 hours: Identify all Chamilo instances in your environment and assess exposure scope; contact your Chamilo support provider for patch availability and timeline. Within 7 days: Apply available vendor patch to all Chamilo systems, starting with production environments; conduct post-patch verification testing. Within 30 days: Complete patching across all development, staging, and backup systems; document patch deployment records and validate vulnerability remediation through scanning.

PHP CVE-2025-50188

HIGH

SQL Injection (CWE-89)

2026-03-02 security-advisories@github.com

PHP Chamilo Lms

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 19:12 vuln.today

Public exploit code

Patch released

Mar 03, 2026 - 19:12 nvd

Patch available

CVE Published

Mar 02, 2026 - 15:16 nvd

HIGH 7.2

DescriptionGitHub Advisory

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

AnalysisAI

Chamilo is a learning management system. [CVSS 7.2 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.11.30.. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-50188 vulnerability details – vuln.today

Back

PHP CVE-2025-50188

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code