CVE-2025-50188
Published: 02 March 2026
Summary
CVE-2025-50188 is a high-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-50188 is a SQL injection vulnerability (CWE-89) in Chamilo, an open-source learning management system. The flaw affects versions prior to 1.11.30 and stems from insufficient validation of user-supplied data via GET parameters in two specific scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php. This allows attackers to inject arbitrary SQL statements, altering database query logic.
Exploitation requires network access and high privileges (PR:H), with low attack complexity and no user interaction needed (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, score 7.2). A privileged attacker, such as an authenticated user with elevated roles, can remotely execute malicious SQL payloads through the vulnerable endpoints, potentially leading to high-impact confidentiality, integrity, and availability compromises, including data exfiltration, modification, or denial of service.
The vulnerability has been addressed in Chamilo version 1.11.30. Security practitioners should upgrade to this patched release, as detailed in the GitHub commit (ef54cc0906a3caaa3e7ac9b640b044f03b1fe733), release notes (v1.11.30), and GitHub Security Advisory (GHSA-96j3-x45m-9q3r), which confirm the fix through improved input validation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208157
Vulnerability details
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the GET value parameter with the following scripts: /plugin/vchamilo/views/syncparams.php and /plugin/vchamilo/ajax/service.php, which allows an attacker to perform an…
more
attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing Chamilo web app directly enables remote exploitation of the application (T1190) by authenticated high-privileged users via vulnerable endpoints.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all user-supplied input (GET parameters) before it is used in database queries, blocking the SQL injection in syncparams.php and service.php.
Mandates prompt application of the vendor patch (v1.11.30) that adds the missing input validation to the two vulnerable Chamilo scripts.
Restricts the high-privilege accounts (PR:H) required to reach the vulnerable endpoints, reducing the population of users who can exploit the flaw.