Home / Vulnerability Intelligence / CVE-2025-52470

CVE-2025-52470 - Vulnerability Analysis

MediumCVSS: 4.8

Last Updated: March 3, 2026

Chamilo - Stored XSS

Published: March 2, 2026Updated: March 3, 2026PoC AvailableRemote Exploitable

Overview

Chamilo < 1.11.30 contains a stored XSS caused by improper sanitization of the Category Name field in session_category_add.php, letting privileged users inject persistent scripts executed in add_many_sessions_to_category.php, exploit requires privileged user access.

Severity & Score

Severity: Medium

CVSS Score: 4.8

Impact

Privileged users can inject persistent scripts that execute in administrative sessions, potentially compromising admin accounts.

Mitigation

Upgrade to version 1.11.30 or later.

References

https://github.com/chamilo/chamilo-lms/commit/ead79db4eb034b8c11a3d6036759d083de37530c
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p4m6-gwhg-x89f

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-52470
Severity: Medium
CVSS Score: 4.8
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N