Chamilo LMS, an open-source learning management system, contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-52482, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). This vulnerability exists in the glossary function of Chamilo versions prior to 1.11.30. Specifically, users assigned the Teachers role can inject malicious JavaScript code into glossary entries, which is then stored and executed when an administrator views the affected content. The vulnerability allows attackers to execute arbitrary scripts in the context of administrator sessions, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The CVSS v3.1 base score is 8.3, reflecting high severity, with an attack vector of network (remote), low attack complexity, requiring high privileges (teacher role), and user interaction (administrator viewing the malicious entry). The scope is changed, indicating that the vulnerability affects resources beyond the initially compromised component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the elevated privileges required and the potential impact on confidentiality and integrity. The issue was reserved in June 2025 and published in March 2026, with a patch released in Chamilo LMS version 1.11.30 to neutralize the input properly and prevent script injection.

The primary impact of this vulnerability is on the confidentiality and integrity of the affected systems. By exploiting the stored XSS in the glossary function, an attacker with teacher-level access can execute malicious scripts in the context of an administrator's browser session. This can lead to session hijacking, theft of administrative credentials, unauthorized changes to LMS content or configurations, and potentially the deployment of further attacks within the LMS environment. The availability impact is low but not negligible, as malicious scripts could be used to disrupt administrative workflows. Organizations relying on Chamilo LMS for educational delivery and administration face risks of compromised administrative accounts, data breaches involving sensitive educational data, and erosion of trust in the LMS platform. Given the network attack vector and low complexity, exploitation could be automated once discovered, increasing the threat to organizations worldwide that have not applied the patch.

Organizations should immediately upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. Until upgrading is possible, implement strict input validation and sanitization on all glossary inputs, especially those submitted by users with elevated privileges such as teachers. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the LMS web interface. Limit the number of users with teacher roles and regularly audit role assignments to minimize exposure. Monitor logs for unusual activity related to glossary entries and administrator sessions. Additionally, educate administrators to be cautious when interacting with user-generated content and consider deploying web application firewalls (WAFs) with rules targeting XSS payloads specific to Chamilo LMS. Finally, maintain an incident response plan to quickly address any detected exploitation attempts.