How to fix CVE-2025-59543?

Within 24 hours: Inventory all Chamilo deployments and identify instances running versions prior to 1.11.34; disable or restrict access to non-critical Chamilo features if possible. Within 7 days: Implement network segmentation to limit Chamilo access to authorized users only; deploy WAF rules to detect and block XSS payloads; audit logs for signs of exploitation. Within 30 days: Apply vendor patch immediately upon release; conduct full security assessment of Chamilo instance and user accounts for compromise indicators; reset credentials for high-privilege accounts.

Is Chamilo Lms affected by CVE-2025-59543?

A critical stored cross-site scripting vulnerability in Chamilo LMS (CVE-2025-59543, CVSS 9.0) allows attackers to inject malicious code that persists in the system and executes when users access affected content.

CVE-2025-59543

CRITICAL

2026-03-06 [email protected]

9.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 06, 2026 - 04:16 nvd

CRITICAL 9.0

Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

Analysis

Second stored XSS in Chamilo LMS before 1.11.34.

Technical Context

CWE-79.

Affected Products

['Chamilo < 1.11.34']

Remediation

Update.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +45

POC: 0

CVE-2025-59543 vulnerability details – vuln.today

Back

CVE-2025-59543

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-59543

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code