CVE-2025-52998 | THREATINT

Description

Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.11.30.

PUBLISHED Reserved 2025-06-24 | Published 2026-03-02 | Updated 2026-03-02 | Assigner GitHub_M

HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-502: Deserialization of Untrusted Data

Product status

< 1.11.30

affected

References

github.com/...lo-lms/security/advisories/GHSA-6mwg-2mw5-rx5v

github.com/...ommit/ba7e15d8cfefcd451de939e98d461b17e72eb627

github.com/chamilo/chamilo-lms/releases/tag/v1.11.30

cve.org (CVE-2025-52998)

nvd.nist.gov (CVE-2025-52998)

Download JSON