CVE-2025-50189
Received Received - Intake
SQL Injection in Chamilo Course Copy Allows Database Manipulation

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.30, the application performs insufficient validation of data coming from the user from the POST resource[document][SQL_INJECTION_HERE] and POST login parameters found in /main/coursecopy/copy_course_session_selected.php, which allows an attacker to perform an attack aimed at modifying the database query logic by injecting an arbitrary SQL statements. This issue has been patched in version 1.11.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-50189
EUVD
EUVD-2025-208158
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Chamilo LMS prior to version 1.11.30 is an SQL injection issue. The application did not properly validate user-supplied data from POST parameters in the file /main/coursecopy/copy_course_session_selected.php. This allowed attackers to inject arbitrary SQL statements, potentially modifying the logic of database queries.

The root cause was the use of concatenated SQL strings with user input, which was replaced by parameterized queries in the patch to prevent injection attacks.

Impact Analysis

An attacker exploiting this SQL injection vulnerability could manipulate database queries, potentially leading to unauthorized data access, data modification, or corruption within the Chamilo LMS database.

Such impacts could include exposure of sensitive information, alteration or deletion of course data, and disruption of LMS functionality.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves SQL injection through insufficient validation of POST parameters in the Chamilo LMS, specifically in the /main/coursecopy/copy_course_session_selected.php file. Detection would involve monitoring or inspecting POST requests to this endpoint for suspicious or malformed SQL input patterns.

Since the vulnerability is related to SQL injection, one way to detect it is by analyzing web server logs or using web application firewalls (WAF) to identify unusual POST requests containing SQL keywords or syntax.

No explicit detection commands or tools are provided in the available resources.

Mitigation Strategies

The vulnerability has been patched in Chamilo LMS version 1.11.30 by replacing vulnerable concatenated SQL queries with parameterized queries, which prevent SQL injection.

Immediate mitigation steps include upgrading the Chamilo LMS installation to version 1.11.30 or later.

If upgrading immediately is not possible, consider applying the security patch manually by updating the CourseSelectForm component, specifically the get_posted_course method, to use parameterized queries as shown in the commit associated with this CVE.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-50189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart