CVE-2025-50188
Published: 02 March 2026
Summary
CVE-2025-50188 is a high-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Chamilo web app directly enables remote exploitation of the application (T1190) by authenticated high-privileged users via vulnerable endpoints.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an…
more
attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
Deeper analysisAI
CVE-2025-50188 is a SQL injection vulnerability (CWE-89) in Chamilo, an open-source learning management system. The flaw affects versions prior to 1.11.30 and stems from insufficient validation of user-supplied data via GET parameters in two specific scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php. This allows attackers to inject arbitrary SQL statements, altering database query logic.
Exploitation requires network access and high privileges (PR:H), with low attack complexity and no user interaction needed (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, score 7.2). A privileged attacker, such as an authenticated user with elevated roles, can remotely execute malicious SQL payloads through the vulnerable endpoints, potentially leading to high-impact confidentiality, integrity, and availability compromises, including data exfiltration, modification, or denial of service.
The vulnerability has been addressed in Chamilo version 1.11.30. Security practitioners should upgrade to this patched release, as detailed in the GitHub commit (ef54cc0906a3caaa3e7ac9b640b044f03b1fe733), release notes (v1.11.30), and GitHub Security Advisory (GHSA-96j3-x45m-9q3r), which confirm the fix through improved input validation.
Details
- CWE(s)