Skip to main content

Chamilo Lms CVE-2026-30882

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-16 GitHub_M
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 16, 2026 - 20:05 vuln.today
CVE Published
Mar 16, 2026 - 19:21 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript by breaking out of the attribute context using ">followed by a malicious payload. The vulnerability is triggered when the pagination controls are rendered - which occurs when the number of session categories exceeds 20 (the page limit). This issue has been patched in version 1.11.36.

AnalysisAI

Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.

Technical ContextAI

This is a classic Reflected XSS vulnerability (CWE-79) in Chamilo LMS, a PHP-based learning management system identified via CPE cpe:2.3:a:chamilo:chamilo-lms. The root cause is improper input validation and output encoding in the session category listing page handler, where the $_REQUEST['keyword'] parameter is directly interpolated into an HTML href attribute without HTML entity encoding or context-aware escaping. The vulnerability manifests specifically in the pagination control rendering logic, which is triggered only when the dataset size exceeds the hardcoded 20-item page limit. Unlike stored XSS, this attack requires the attacker to craft a malicious URL and socially engineer a victim into clicking it, but successful injection allows arbitrary JavaScript execution in the victim's browser within the Chamilo application context.

RemediationAI

Immediately upgrade Chamilo LMS to version 1.11.36 or later, which contains the security patch for this XSS vulnerability (see vendor advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qg5f-gq95-9vhq). If immediate upgrading is not feasible, implement input validation and output encoding controls at the application or reverse proxy layer: configure the reverse proxy (e.g., ModSecurity, nginx njs) to detect and block requests containing URL-encoded payloads (e.g., %22%3E%3Cscript) in the keyword parameter, and implement Content Security Policy (CSP) headers with strict script-src directives to mitigate XSS impact if injection occurs. Additionally, restrict administrative access to the session category listing page to trusted IP ranges and enable security logging to detect exploit attempts.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-30882 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy