Main Vulnerability Database Vulnerabilities #VU127542

Cross-site scripting in Chamilo LMS - CVE-2025-59542

Published: April 24, 2026

Vulnerability identifier: #VU127542

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-59542

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chamilo

Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's browser and take over accounts.

The vulnerability exists due to stored cross-site scripting in the course learning path Settings field when rendering the course information page. A remote user can inject malicious JavaScript into the field to execute arbitrary JavaScript code in another user's browser and take over accounts.

User interaction is required when another user views the course information page.

How to mitigate CVE-2025-59542

Install security update from vendor's website.

Sources

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6

Cross-site scripting in Chamilo LMS - CVE-2025-59542

Detailed vulnerability description

How to mitigate CVE-2025-59542

Sources

Please verify you're human