CVE-2025-52482 HIGH

CVE-2025-52482: Chamilo: Stored XSS in glossary function via /main/glossary/index.php trigger in /main/tracking/course_log_resources.php

Vendor Chamilo

Product chamilo-lms

Weakness CWE-79 · XSS

Published March 2, 2026

Last update March 2, 2026

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

Description

Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.

Key dates

Disclosure timeline

March 2, 2026 CVE published

March 2, 2026 Record updated