CVE-2025-50186 MEDIUM

CVE-2025-50186: Chamilo: Stored XSS via Malicious CSV Filename in user_import.php

Vendor Chamilo

Product chamilo-lms

Weakness CWE-79 · XSS

Published March 2, 2026

Last update March 2, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. An attacker can upload a maliciously named CSV file (e.g., <img src=q onerror=prompt(8)>.csv) that leads to JavaScript execution when viewed by administrators or users with access to import logs or file views. This issue has been patched in version 1.11.30.

Key dates

Disclosure timeline

March 2, 2026 CVE published

March 2, 2026 Record updated