What is the CVSS score of CVE-2025-55289?

CVE-2025-55289 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Chamilo Lms are affected by CVE-2025-55289?

Chamilo LMS versions prior to 1.11.34 contain a stored cross-site scripting (XSS) vulnerability affecting social networking and messaging features, enabling attackers to inject malicious code that…

How to fix or mitigate CVE-2025-55289?

Within 24 hours: Identify all Chamilo instances in your environment and confirm version numbers; disable or restrict access to social network and internal messaging features if running version 1.11.32 or earlier. Within 7 days: implement input validation and output encoding at the application layer; deploy WAF rules to detect and block XSS payloads in social/messaging endpoints; conduct user awareness training on suspicious messages. Within 30 days: upgrade to Chamilo 1.11.34 or later once available; perform security audit of affected features for evidence of exploitation; restore full functionality post-patch.

Chamilo Lms CVE-2025-55289

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-03-06 security-advisories@github.com

XSS Chamilo Lms

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 04:16 nvd

HIGH 8.8

DescriptionNVD

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.

AnalysisAI

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltrati

RemediationAI

Fixed in version 1.11.34.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2025-55289 vulnerability details – vuln.today

Back

Chamilo Lms CVE-2025-55289

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code