CVE-2025-50190
Published: 02 March 2026
Summary
CVE-2025-50190 is a critical-severity SQL Injection (CWE-89) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires timely patching of the specific SQL injection vulnerability fixed in Chamilo 1.11.30, directly eliminating the exploitable flaw in the openid.assoc_handle parameter.
Information input validation enforces sanitization and validation of the GET openid.assoc_handle parameter to prevent malicious SQL payloads from being executed.
Error handling suppresses database error messages that expose sensitive information or enable further exploitation in this error-based SQL injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in public-facing Chamilo web app enables exploitation of the application itself.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.
Deeper analysisAI
CVE-2025-50190 is an error-based SQL injection vulnerability (CWE-89) affecting Chamilo, an open-source learning management system. The flaw exists in versions prior to 1.11.30 and is triggered via the GET openid.assoc_handle parameter in the /index.php script, allowing attackers to inject malicious SQL payloads that result in database errors exposing sensitive information or enabling further exploitation.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no authentication requirements, and no user interaction needed. Unauthenticated attackers can leverage this to achieve high-impact outcomes, including unauthorized access to confidential data, modification of database contents, or denial of service through disruptive SQL operations.
Mitigation is available via the patch in Chamilo version 1.11.30, as detailed in the project's GitHub security advisory (GHSA-5296-jxrr-pfwj), release notes, and the specific commit 613eb19a0fac6dd49c233f32ad5428cd29d5a468 that addresses the injection point. Security practitioners should prioritize upgrading affected instances and review access logs for exploitation attempts targeting the openid.assoc_handle parameter.
Details
- CWE(s)