CVE-2025-52470 MEDIUM

CVE-2025-52470: Chamilo: Stored Cross-Site Scripting (XSS) via Session Category Name

Vendor Chamilo
Product chamilo-lms
Weakness CWE-79 · XSS
Published March 2, 2026
Last update March 2, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScript payloads. The injected script is later executed when accessing add_many_sessions_to_category.php, potentially compromising administrative sessions. This issue has been patched in version 1.11.30.

Key dates

02Disclosure timeline

March 2, 2026 CVE published
March 2, 2026 Record updated