CVE-2025-50198 - Vulnerability Analysis
MediumCVSS: 4.9Last Updated: March 3, 2026
Chamilo - Insecure Deserialization
Published: March 2, 2026Updated: March 3, 2026PoC AvailableRemote Exploitable
Overview
Chamilo < 1.11.30 contains an insecure deserialization vulnerability caused by untrusted data in /plugin/vchamilo/views/import.php via POST parameters configuration_file, course_path, and home_path, letting attackers execute arbitrary code remotely, exploit requires crafted POST request.
Severity & Score
Severity: Medium
CVSS Score: 4.9
Impact
Attackers can execute arbitrary code remotely, potentially leading to full system compromise.
Mitigation
Update to version 1.11.30 or later.
References
- https://github.com/chamilo/chamilo-lms/commit/07f7954f2dd18c4f5a307b2a6fa802d9ce36b827
- https://github.com/chamilo/chamilo-lms/commit/89c67e6630852cf94d288499e2cd6f6a06f9c6f1
- https://github.com/chamilo/chamilo-lms/commit/8bd86913a89fec084053e2c2916df19f15d03d95
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-jgxc-96j5-8rrr
Related Resources
Details
- CVE ID
- CVE-2025-50198
- Severity
- Medium
- CVSS Score
- 4.9
- Type
- insecure_deserialization
- Status
- confirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N