What is the CVSS score of CVE-2025-50189?

CVE-2025-50189 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2025-50189?

A high-severity vulnerability (CVE-2025-50189) in Chamilo LMS affects organizations using this platform for employee training, student management, or educational delivery.. A patch is available.

Is there a public PoC exploit available for CVE-2025-50189?

Yes, a public proof-of-concept exploit is available for CVE-2025-50189. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-50189?

Within 24 hours: Inventory all Chamilo deployments and assess current version status; isolate or restrict external access to affected instances if immediate patching is not possible. Within 7 days: Apply the available vendor patch to all Chamilo systems and validate patch installation across production and non-production environments. Within 30 days: Conduct a post-patch security audit, review access logs for exploitation attempts, and implement network monitoring to detect similar attack patterns.

PHP CVE-2025-50189

HIGH

SQL Injection (CWE-89)

2026-03-02 security-advisories@github.com

PHP Chamilo Lms

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 19:13 vuln.today

Public exploit code

Patch released

Mar 03, 2026 - 19:13 nvd

Patch available

CVE Published

Mar 02, 2026 - 15:16 nvd

HIGH 8.8

DescriptionNVD

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

AnalysisAI

Chamilo is a learning management system. [CVSS 8.8 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 1.11.30.. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

CVE-2025-50189 vulnerability details – vuln.today

Back

PHP CVE-2025-50189

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code