CVE-2025-52469

HIGH EPSS 20.6%
Published Mar 2, 20264mo ago · Modified Mar 3, 20263mo ago
7.1 CVSS 3.1
High
Find Similar
Published Mar 2, 2026 4mo ago
Last Modified Mar 3, 2026 3mo ago

Description

Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can bypass the normal flow of sending and accepting friend requests, and even add non-existent users. This breaks access control and social interaction logic, with potential privacy implications. This issue has been patched in version 1.11.30.

CVSS Details

Base Score
7.1
Exploitability
2.8
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
20.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-841

Affected Products 1

VendorProductVersionRange
chamilochamilo_lms* <1.11.30

References 3

  • github.com https://github.com/chamilo/chamilo-lms/commit/39e0fa88a2ba5dd197e0d8ce7335730b666992a6
    Patch
  • github.com https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
    ProductRelease Notes
  • github.com https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m5xj-5xf3-rqch
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/chamilo/chamilo-lms/commit/39e0fa88a2ba5dd197e0d8ce7335730b666992a6
    Patch