CVE-2025-50186 - Vulnerability Analysis
MediumCVSS: 4.8Last Updated: March 3, 2026
Chamilo - Stored XSS
Published: March 2, 2026Updated: March 3, 2026PoC AvailableRemote Exploitable
Overview
Chamilo < 1.11.30 contains a stored XSS caused by insufficient sanitization of CSV filenames, letting attackers execute JavaScript when malicious CSV files are viewed by admins or users with import log access, exploit requires file upload capability.
Severity & Score
Severity: Medium
CVSS Score: 4.8
Impact
Attackers can execute arbitrary JavaScript in the context of administrators or privileged users, potentially leading to session hijacking or further attacks.
Mitigation
Update to version 1.11.30 or later.
References
Related Resources
Details
- CVE ID
- CVE-2025-50186
- Severity
- Medium
- CVSS Score
- 4.8
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N