Cyber Resilience

CVE-2025-59541

High

Published: 06 March 2026

Published
06 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0015 4.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59541 is a high-severity CSRF (CWE-352) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-59541 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Chamilo, an open-source learning management system. Versions prior to 1.11.34 are vulnerable due to the absence of anti-CSRF protections, such as tokens, on sensitive actions like project deletion within courses. These actions rely on GET-based requests, enabling unauthorized execution when triggered inadvertently.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking an authenticated Trainer user into visiting a malicious webpage (UI:R). The forged request deletes projects inside a course without the victim's consent, leading to high integrity (I:H) and availability (A:H) impacts but no confidentiality loss (C:N), with an unchanged scope (S:U). The CVSS v3.1 base score is 8.1.

The issue was patched in Chamilo version 1.11.34. Mitigation involves upgrading to this version or later. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do…

more

not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing web app directly enables exploitation via malicious link requiring user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-50187Same product: Chamilo Chamilo Lms
CVE-2025-50192Same product: Chamilo Chamilo Lms
CVE-2024-47886Same product: Chamilo Chamilo Lms
CVE-2025-50188Same product: Chamilo Chamilo Lms
CVE-2026-33710Same product: Chamilo Chamilo Lms
CVE-2025-50190Same product: Chamilo Chamilo Lms
CVE-2025-52998Same product: Chamilo Chamilo Lms
CVE-2026-33618Same product: Chamilo Chamilo Lms
CVE-2025-52469Same product: Chamilo Chamilo Lms
CVE-2025-50191Same product: Chamilo Chamilo Lms

Affected Assets

chamilo
chamilo lms
≤ 1.11.34

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires mechanisms to protect session authenticity, directly addressing CSRF by mandating tokens or equivalent protections against forged requests in Chamilo.

prevent

Mandates input validation at system entry points, including anti-CSRF tokens to block unauthorized project deletion requests lacking valid tokens.

prevent

Requires timely flaw remediation, directly mitigating this CVE by applying the patch in Chamilo 1.11.34 that adds CSRF protections.

References