Today, we have released Chamilo 1.11.32, which includes many vulnerability fixes (through 1.11.30). Please update soon. Stay safe.

Our security page has been updated accordingly.

🪂Chamilo 1.11.28 has just landed, with many security fixes. Update today to help secure the Chamilo network. Together, we are stronger! 🚀.

New reports of vulnerabilities have been appearing since early this week. These vulnerabilities have been addressed (as indicated in the original report by Quarkslab) but they consist of individual patches. We are working on a 1.11.28 release which includes those fixes.

RT @chamilo_news: Chamilo 1.11.26 is out 🥳This version includes highly-recommended security updates and a few improvements on top of the pr….

New critical vulnerabilities have been discovered (and fixes are available) in Chamilo 1.11.24. We urge you to update to 1.11.26 ASAP to avoid any issue with user data. Download 1.11.26 from or check each patch at

A new vulnerability (IDOR) has been detected, affecting Chamilo 1.11 portals installed or updated since 2017. Admins are encouraged to use the patch available here (affecting only 2 files for Chamilo 1.11.22) or to update as soon as 1.11.24 is released.

All known vulnerabilities have been patched in this new version. Updating your portal using the standard update procedure (backup, then overwrite files on your existing portal) is the easiest possible way to keep your data and servers safe. Please take the appropriate action soon.

RT @chamilo_news: Chamilo 1.11.22 is out 🥳.This version includes highly-recommended security updates and a few improvements on top of the p….

So if you're not on Windows and you've already deleted the additional_webservices.php script, you're already mostly OK 😉.

One critical issue only affects Chamilo on Windows servers, while the other further exploits a vulnerable file (main/webservices/additional_webservices.php) which can safely be removed if you don't use the remote PPT converter extension.

New critical vulnerabilities have been discovered (and fixes are available) in Chamilo 1.11.20. We urge you to apply those pages ASAP, as we race to provide a new version 1.11.22 to allow for an easier update process.

This issues affects most previous versions of Chamilo. Version 1.11.20 is safe in that regard.

We have received numerous reports of the RCE mentioned above being exploited since past yesterday. If you cannot update your Chamilo portal safely, please delete the main/webservices/additional_webservices.php file (or block access to it) as a quick fix. Be safe.

We also published a series of fixes post-release, but they require admin privileges to exploit, so if your admin account is well protected, you're OK. If you want to apply them anyway, use a Git version of Chamilo or check for details.

Hey chamilovers! We have just published 1.11.20, which includes a fix for a critical RCE vulnerability, so please update soon. We care about u and ur users. Don't let bad guys abuse your Chamilo installation. As always, the official source is on Github:

Several vulnerabilities (mostly XSS) have been reported on Chamilo 1.11.18, which could affect all 1.11.x versions. We are racing to release 1.11.20 with all the necessary patches, but if you want to get ahead, please check issues from n°96 @ Stay safe!.

A new authenticated RCE vulnerability has been detected in Chamilo (all stable versions). Please update as soon as possible following instructions here (vuln #94). It is a very easy fix (one file replacement), so don't wait for anything bad to happen.

New possible RCE reported and fixed in Chamilo 1.11.16. The fix will be included in the upcoming 1.11.18. To protect your portal now, apply the published patch as soon as possible.

Please check our security page regularly to maintain your Chamilo portal to the highest security standard: 4 new vulnerabilities (and their matching fixes) were added today, which may affect your users' experience with Chamilo 1.11.16.