Description
Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
Published: 2026-03-16
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update LMS
AI Analysis

Impact

Chamilo LMS is vulnerable to user enumeration through its response handling. An attacker can determine whether a username exists by sending a request with a candidate username and observing the system’s response. This flaw is classified as CWE‑204 and allows an attacker to gather valid usernames, which can facilitate credential stuffing, phishing, or targeted attacks. The vulnerability does not provide remote code execution or direct access to privileged data, but it does expose user identity information.

Affected Systems

The issue affects the Chamilo Learning Management System (Chamilo‑LMS). Versions prior to 1.11.36 are impacted; the vulnerability is fixed in release 1.11.36 and later.

Risk and Exploitability

The CVSS score is 6.3, indicating medium severity, and the EPSS score is below 1%, suggesting low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation can occur remotely via the web interface, requiring only access to the LMS endpoint and valid usernames for enumeration. The risk is elevated for environments that rely on strict user identity confidentiality but is mitigated by the low likelihood of widespread exploitation.

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Chamilo‑LMS version 1.11.36 or later to eliminate the enumeration flaw.

Generated by OpenCVE AI on March 17, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to version 1.11.36, Chamilo is vulnerable to user enumeration with valid/invalid username. This issue has been patched in version 1.11.36.
Title Chamilo LMS: User enumeration vulnerability via response
Weaknesses CWE-204
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:22:42.799Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30876

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:30.931Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:18.490

Modified: 2026-03-17T18:53:03.027

Link: CVE-2026-30876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:52Z

Weaknesses