CVE-2025-59540

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34

Description Chamilo is a learning management system. A stored cross-site scripting (XSS) issue exists that allows a staff account to execute arbitrary JavaScript in the browser of admin users with higher privileges. The issue occurs because feedback input on the exercise history page is not properly encoded before rendering, enabling malicious scripts to persist in the database and execute when viewed. The vulnerable component is the rendering of feedback input.

Recommendations Update to version 1.11.34 or later.