CVE-2026-32932 MEDIUM

CVE-2026-32932: Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit

Vendor Chamilo

Product chamilo-lms

Weakness CWE-601 · Open redirect

Published April 10, 2026

Last update April 13, 2026

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Key dates

02Disclosure timeline

April 10, 2026 CVE published

April 13, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32932 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2026-32932

CWE CWE-601

CVSS 4.7 / MEDIUM

Affected versions

Vendor Chamilo

Product chamilo-lms

Affected < 1.11.38

Vendor Chamilo

Product chamilo-lms

Affected >= 2.0.0-alpha.1, < 2.0.0-RC.3

CVE-2026-32932: Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit

01Description

02Disclosure timeline

03References

04Related CVE