Skip to main content

Chamilo Lms CVE-2026-34161

| EUVDEUVD-2026-22714 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 GitHub_M
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

7
Patch released
Apr 23, 2026 - 14:57 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
2.0.0-RC.3
Analysis Generated
Apr 14, 2026 - 22:43 vuln.today
CVSS changed
Apr 14, 2026 - 21:22 NVD
5.1 (MEDIUM)
EUVD ID Assigned
Apr 14, 2026 - 21:16 euvd
EUVD-2026-22714
Analysis Generated
Apr 14, 2026 - 21:16 vuln.today
CVE Published
Apr 14, 2026 - 21:12 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3.

AnalysisAI

Stored cross-site scripting (XSS) in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated users to upload malicious HTML files containing JavaScript via the social post attachment API endpoint. The uploaded files are served without sanitization, content-type restrictions, or proper content-disposition headers, causing embedded JavaScript to execute in the browser within the application's trusted origin. This enables session hijacking, account takeover, and privilege escalation attacks, particularly when an administrator views a malicious link. The vulnerability is confirmed fixed in version 2.0.0-RC.3.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79) affecting Chamilo LMS's REST API endpoint /api/social_post_attachments. The root cause stems from insufficient input validation and output encoding in the file upload and serving mechanism. When a user uploads a file through the attachment endpoint, the application generates a contentUrl to serve the file back to users. The vulnerability arises because the server fails to enforce three critical security controls: (1) content-type validation to restrict file uploads to non-executable types, (2) content sanitization or encoding of file contents before serving, and (3) a Content-Disposition: attachment HTTP response header that would force browsers to download the file rather than execute it inline. Because the malicious JavaScript executes within the application's same origin (same scheme, domain, and port), it gains access to session cookies, CSRF tokens, and other sensitive data that would normally be protected by the browser's same-origin policy. This is particularly dangerous for privilege escalation when administrators or high-privilege users view links containing the malicious payload.

RemediationAI

The vendor-released patch is available in Chamilo LMS version 2.0.0-RC.3 or later. Administrators should upgrade immediately to this version or newer to apply the fix. The patch implements proper content-type validation for uploaded files, sanitizes or encodes file contents before serving, and adds appropriate Content-Disposition headers to prevent inline execution. Upgrade instructions and release details are available at https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3. No reliable workarounds exist for earlier versions; patching is the primary remediation. In the interim, administrators may consider restricting upload functionality through access controls or temporarily disabling the social post attachment feature if operationally feasible.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2026-34161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy