Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-50193

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-02 Mar, 2026 | 15:16
Updated At-02 Mar, 2026 | 15:16
Rejected At-
Credits

Chamilo: OS command Injection in /plugin/vchamilo/views/import.php with the POST to_main_database parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:02 Mar, 2026 | 15:16
Updated At:02 Mar, 2026 | 15:16
Rejected At:
â–¼CVE Numbering Authority (CNA)
Chamilo: OS command Injection in /plugin/vchamilo/views/import.php with the POST to_main_database parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30.

Affected Products
Vendor
chamilo
Product
chamilo-lms
Versions
Affected
  • < 1.11.30
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hvpp-6mp9-frx4
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/afdbd4bb9a9ea17b7740559dd4e05aa13b16480d
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
x_refsource_MISC
Hyperlink: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hvpp-6mp9-frx4
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/chamilo/chamilo-lms/commit/afdbd4bb9a9ea17b7740559dd4e05aa13b16480d
Resource:
x_refsource_MISC
Hyperlink: https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
Resource:
x_refsource_MISC
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:02 Mar, 2026 | 16:16
Updated At:02 Mar, 2026 | 16:16

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. This issue has been patched in version 1.11.30.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.07.1HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 7.1
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-78Primarysecurity-advisories@github.com
CWE ID: CWE-78
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/chamilo/chamilo-lms/commit/afdbd4bb9a9ea17b7740559dd4e05aa13b16480dsecurity-advisories@github.com
N/A
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30security-advisories@github.com
N/A
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hvpp-6mp9-frx4security-advisories@github.com
N/A
Hyperlink: https://github.com/chamilo/chamilo-lms/commit/afdbd4bb9a9ea17b7740559dd4e05aa13b16480d
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hvpp-6mp9-frx4
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

8Records found
CVE-2025-50194
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-02 Mar, 2026 | 15:16
Updated-02 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo: OS Command Injection in /main/cron/lang/check_parse_lang.php

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. This issue has been patched in version 1.11.30.

Action-Not Available
Vendor-chamilo
Product-chamilo-lms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-50195
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-02 Mar, 2026 | 15:16
Updated-02 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo: OS Command Injection in /plugin/vchamilo/views/manage.controller.php

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. This issue has been patched in version 1.11.30.

Action-Not Available
Vendor-chamilo
Product-chamilo-lms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-50196
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-02 Mar, 2026 | 15:17
Updated-02 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo: OS Command Injection in /plugin/vchamilo/views/editinstance.php via POST main_database parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. This issue has been patched in version 1.11.30.

Action-Not Available
Vendor-chamilo
Product-chamilo-lms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-50197
Matching Score-10
Assigner-GitHub, Inc.
ShareView Details
Matching Score-10
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-Not Assigned
Published-02 Mar, 2026 | 15:18
Updated-02 Mar, 2026 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo: OS Command Injection in /main/admin/sub_language_ajax.inc.php via POST new_language parameter

Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. This issue has been patched in version 1.11.30.

Action-Not Available
Vendor-chamilo
Product-chamilo-lms
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-4221
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
ShareView Details
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
CVSS Score-7.2||HIGH
EPSS-1.86% / 82.85%
||
7 Day CHG~0.00%
Published-28 Nov, 2023 | 07:13
Updated-02 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo LMS Learning Path PPT2LP Command Injection Vulnerability

Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

Action-Not Available
Vendor-chamiloChamilo
Product-chamilo_lmsChamilo
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-4222
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
ShareView Details
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
CVSS Score-7.2||HIGH
EPSS-1.86% / 82.85%
||
7 Day CHG~0.00%
Published-28 Nov, 2023 | 07:15
Updated-02 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo LMS Learning Path PPT2LP Command Injection Vulnerability

Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

Action-Not Available
Vendor-chamiloChamilo
Product-chamilo_lmsChamilo
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2023-3368
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
ShareView Details
Matching Score-6
Assigner-STAR Labs SG Pte. Ltd.
CVSS Score-9.8||CRITICAL
EPSS-84.76% / 99.33%
||
7 Day CHG~0.00%
Published-28 Nov, 2023 | 07:05
Updated-03 Jun, 2025 | 13:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chamilo LMS Unauthenticated Command Injection

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.

Action-Not Available
Vendor-chamiloChamilo
Product-chamiloChamilo
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2025-41385
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-7.1||HIGH
EPSS-0.12% / 30.95%
||
7 Day CHG+0.02%
Published-30 May, 2025 | 06:35
Updated-04 Jun, 2025 | 19:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user.

Action-Not Available
Vendor-uchidaUCHIDA YOKO CO., LTD.
Product-wivia_5wivia_5_firmwarewivia 5
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Details not found