CVE-2025-52998
CRITICAL WAF: Medium
CVSS 9.8
Published: 2026-03-02
CWE-502
Chamilo is a learning management system. Prior to version 1.11.30, in the application, deserialization of data is performed, the data can be spoofed. An attacker can create objects of arbitrary classes, as well as fully control their properties, and thus modify the logic of the web application's operation. This issue has been patched in version 1.11.30.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| chamilo | chamilo_lms | up to 1.11.30 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Patch, Vendor Advisory)