CVE-2025-50187 PUBLISHED

Chamilo: Evaluation of untrusted user input leads to Remote Code Execution

Assigner: GitHub_M
Reserved: 13.06.2025 Published: 02.03.2026 Updated: 02.03.2026

Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor chamilo
Product chamilo-lms
Versions
  • Version < 1.11.28 is affected

References

Problem Types

  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE