Skip to main content

Chamilo Lms CVE-2026-32893

| EUVDEUVD-2026-21525 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-10 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
EUVD ID Assigned
Apr 10, 2026 - 18:00 euvd
EUVD-2026-21525
Analysis Generated
Apr 10, 2026 - 18:00 vuln.today
CVE Published
Apr 10, 2026 - 17:42 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.

AnalysisAI

Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Chamilo LMS versions before 2.0.0-RC.3 contain a reflected XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in the exercise question list administrative interface. The root cause stems from unsafe parameter handling in the pagination code: the application merges all HTTP GET parameters via PHP's array_merge() function and then outputs the merged parameters directly into HTML href attributes using http_build_query() without applying htmlspecialchars() encoding. This allows attacker-controlled query string values to break out of href attribute context and inject arbitrary HTML and JavaScript. The CPE cpe:2.3:a:chamilo:chamilo-lms:*:*:*:*:*:*:*:* indicates the vulnerability affects all versions of Chamilo LMS on the 2.x branch prior to the RC.3 release.

RemediationAI

Vendor-released patch: Chamilo LMS 2.0.0-RC.3 or later. Organizations should immediately upgrade to Chamilo LMS 2.0.0-RC.3 or a subsequent stable release (when available) to apply the fix demonstrated in commit 72bc403f89b1ebb73a139f8f6cf0478857592276, which adds proper htmlspecialchars() encoding to the pagination parameter output. Until patching is feasible, administrators should restrict access to the exercise admin panel to trusted staff only and monitor for suspicious pagination requests containing encoded HTML entities (e.g., %3C, %3E, %22) in query parameters. The fix is tracked in the GitHub Security Advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc and the upstream commit is available for review at https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-32893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy