How to fix CVE-2025-55289?

Within 24 hours: Identify all Chamilo instances in your environment and confirm version numbers; disable or restrict access to social network and internal messaging features if running version 1.11.32 or earlier. Within 7 days: implement input validation and output encoding at the application layer; deploy WAF rules to detect and block XSS payloads in social/messaging endpoints; conduct user awareness training on suspicious messages. Within 30 days: upgrade to Chamilo 1.11.34 or later once available; perform security audit of affected features for evidence of exploitation; restore full functionality post-patch.

Is Chamilo Lms affected by CVE-2025-55289?

Chamilo LMS versions prior to 1.11.34 contain a stored cross-site scripting (XSS) vulnerability affecting social networking and messaging features, enabling attackers to inject malicious code that executes for all users who interact with compromised content.

CVE-2025-55289

HIGH

2026-03-06 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 04:16 nvd

HIGH 8.8

Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.

Analysis

Technical Context

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltrati

Affected Products

Vendor: Chamilo. Product: Chamilo Lms. Versions: up to 1.11.34.

Remediation

Fixed in version 1.11.34.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: 0

CVE-2025-55289 vulnerability details – vuln.today

Back

CVE-2025-55289

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-55289

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code