How to fix CVE-2025-50189?

Within 24 hours: Inventory all Chamilo deployments and assess current version status; isolate or restrict external access to affected instances if immediate patching is not possible. Within 7 days: Apply the available vendor patch to all Chamilo systems and validate patch installation across production and non-production environments. Within 30 days: Conduct a post-patch security audit, review access logs for exploitation attempts, and implement network monitoring to detect similar attack patterns.

Is PHP affected by CVE-2025-50189?

A high-severity vulnerability (CVE-2025-50189) in Chamilo LMS affects organizations using this platform for employee training, student management, or educational delivery.

CVE-2025-50189

HIGH

2026-03-02 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 19:13 vuln.today

Public exploit code

Patch Released

Mar 03, 2026 - 19:13 nvd

Patch available

CVE Published

Mar 02, 2026 - 15:16 nvd

HIGH 8.8

Description

Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

Analysis

Chamilo is a learning management system. [CVSS 8.8 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.

Affected Products

Vendor: Chamilo. Product: Chamilo Lms. Versions: up to 1.11.30.

Remediation

A vendor patch is available — apply it immediately. Fixed in version 1.11.30.. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: +20

CVE-2025-50189 vulnerability details – vuln.today

Back

CVE-2025-50189

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-50189

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code