How to fix CVE-2025-52468?

Within 24 hours: Identify all Chamilo instances in your environment and document their current versions. Within 7 days: Apply vendor patch to upgrade all affected Chamilo installations to version 1.11.30 or later, prioritizing production systems. Within 30 days: Conduct security testing on patched systems and implement monitoring for suspicious CSV import activities.

Is Chamilo Lms affected by CVE-2025-52468?

Chamilo LMS installations prior to version 1.11.30 are vulnerable to input validation attacks via CSV user import functionality, enabling potential unauthorized access or data manipulation.

CVE-2025-52468

HIGH

2026-03-02 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 18:23 vuln.today

Public exploit code

Patch Released

Mar 03, 2026 - 18:23 nvd

Patch available

CVE Published

Mar 02, 2026 - 16:16 nvd

HIGH 8.8

Description

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. This issue has been patched in version 1.11.30.

Analysis

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. [CVSS 8.8 HIGH]

Technical Context

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. T

Affected Products

Vendor: Chamilo. Product: Chamilo Lms. Versions: up to 1.11.30.

Remediation

A vendor patch is available — apply it immediately. Fixed in version 1.11.30.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: +20

CVE-2025-52468 vulnerability details – vuln.today

Back

CVE-2025-52468

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-52468

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code