PT-2026-22616 · Chamilo · Chamilo

Published

2026-03-02

Updated

2026-03-07

CVE-2025-52469

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.30

Description Chamilo is a learning management system. A logic issue in the friend request workflow of Chamilo’s social network module allows an authenticated user to add any user as a friend by directly calling an AJAX endpoint. The attacker bypasses the normal friend request process, and can even add non-existent users. This breaks access control and social interaction logic, potentially impacting privacy. The vulnerable endpoint is an AJAX endpoint used for managing friend requests. The issue is exploitable by any authenticated user, allowing them to manipulate the friend request workflow.

Recommendations Update to version 1.11.30 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-841

Related Identifiers

CVE-2025-52469

GHSA-M5XJ-5XF3-RQCH

Affected Products

Chamilo

PT-2026-22616 · Chamilo · Chamilo

CVE-2025-52469

Weakness Enumeration

Related Identifiers

Affected Products

References · 9