CVE-2025-59542 CRITICAL

CVE-2025-59542: Chamilo: Account Takeover via Stored XSS in Course Learning Paths

Vendor Chamilo
Product chamilo-lms
Weakness CWE-79 · XSS
Published March 6, 2026
Last update March 6, 2026
View on NVD All CVEs

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-1548 iteachyou Dreamer CMS edit cross site scripting CVE-2024-2553 SourceCodester Product Review Rating System Rate Product cross site scripting CVE-2021-24257 Premium Addons for Elementor < 4.2.8 - Contributor+ Stored Cross-Site Scripting (XSS) CVE-2023-6982 Display custom fields in the frontend – Post and User Profile Fields <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via vg_display_data CVE-2024-38694 WordPress Moloni plugin <= 4.7.4 - Reflected Cross Site Scripting (XSS) vulnerability