Cyber Resilience

CVE-2025-55289

High

Published: 06 March 2026

Published
06 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-55289 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-55289 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Chamilo, an open-source learning management system (LMS). It affects Chamilo LMS versions prior to 1.11.34, with the issue specifically noted in version 1.11.32. The vulnerability resides in the platform's social network and internal messaging features, where attackers can inject arbitrary JavaScript code. The flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

A low-privileged authenticated attacker can exploit this vulnerability by injecting malicious JavaScript payloads into the social network or internal messaging components. When another authenticated user, including administrators, views the injected content, the payload executes in their browser within the context of the LMS. This enables full account takeover via session hijacking, execution of unauthorized actions using the victim's privileges, exfiltration of sensitive data, and potential self-propagation to other users through further messaging or social interactions.

The vulnerability has been patched in Chamilo LMS version 1.11.34. Administrators are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-cchj-3qmf-82j5 and the release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by…

more

an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

Stored XSS enables direct arbitrary JavaScript execution (T1059.007) in other users' browsers and facilitates session hijacking (T1185/T1539) for account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59543Same product: Chamilo Chamilo Lms
CVE-2025-59542Same product: Chamilo Chamilo Lms
CVE-2025-52468Same product: Chamilo Chamilo Lms
CVE-2025-52482Same product: Chamilo Chamilo Lms
CVE-2025-55208Same product: Chamilo Chamilo Lms
CVE-2026-31940Same product: Chamilo Chamilo Lms
CVE-2026-33702Same product: Chamilo Chamilo Lms
CVE-2026-30881Same product: Chamilo Chamilo Lms
CVE-2026-31941Same product: Chamilo Chamilo Lms
CVE-2025-50193Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
≤ 1.11.34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates inputs to social network and internal messaging features, preventing injection of arbitrary JavaScript payloads.

prevent

Filters and encodes outputs from social network and messaging when rendered in users' browsers, blocking XSS payload execution.

prevent

Requires timely patching of the specific stored XSS flaw, as addressed in Chamilo version 1.11.34.

References