Main Vulnerability Database Vulnerabilities #VU127540

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Chamilo LMS - CVE-2025-59540

Published: April 24, 2026

Vulnerability identifier: #VU127540

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2025-59540

CWE-ID: CWE-80

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chamilo

Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript in the browser of an admin user.

The vulnerability exists due to cross-site scripting in public/main/exercise/exercise_history.php when rendering feedback input on the exercise history page. A remote user can inject a malicious script into the feedback field to execute arbitrary JavaScript in the browser of an admin user.

User interaction is required when an admin views the exercise history, and the payload persists in the database until removed.

How to mitigate CVE-2025-59540

Install security update from vendor's website.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Chamilo LMS - CVE-2025-59540

Detailed vulnerability description

How to mitigate CVE-2025-59540

Sources

Please verify you're human