Description
Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.
Published: 2026-04-10
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: Open redirect via login redirect parameter
Action: Apply Patch
AI Analysis

Impact

Chamilo LMS allows anyone with access to the login page to supply an arbitrary redirect URL via the redirect parameter without server-side validation. This leads to an open redirect that can send unsuspecting users to malicious sites. The vulnerability is identified as a CWE-601 open redirect, enabling potential phishing, click-jacking, or social-engineering attacks.

Affected Systems

The issue affects the Chamilo Learning Management System from its 1.11.0 release through 2.0-beta.1. Users operating those versions are at risk. The product is developed by the Chamilo community.

Risk and Exploitability

No CVSS score is published, and the EPSS score is unavailable. The vulnerability is not listed in CISA KEV. The attack vector is remote, accessible via the web interface using the login redirect parameter. Because no authentication is required, the potential impact depends on the attacker’s ability to entice users into following the link; it can facilitate phishing or malicious site redirection, but does not expose sensitive data directly. The overall risk is moderate, but any compromised users could be manipulated.

Generated by OpenCVE AI on April 10, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0-beta.2 or later to eliminate the open redirect functionality.
  • If an upgrade is not immediately possible, block or validate the redirect parameter on the /login route to prevent external redirects.
  • Monitor your application logs for anomalous redirect attempts and educate users about click-jacking risks.

Generated by OpenCVE AI on April 10, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.
Title Chamilo LMS has validation-less redirect on login page
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T14:12:56.349Z

Reserved: 2025-12-01T18:22:06.865Z

Link: CVE-2025-66447

cve-icon Vulnrichment

Updated: 2026-04-14T14:12:52.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:40.630

Modified: 2026-04-17T22:03:27.103

Link: CVE-2025-66447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:07Z

Weaknesses