Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature.
AnalysisAI
Stored cross-site scripting (XSS) in Koollab LMS courselet feature allows authenticated users to inject arbitrary JavaScript that executes in the browsers of other users with courselet access, potentially compromising account security and enabling credential theft or malicious actions on behalf of affected users. CVSS 5.4 reflects network delivery, low complexity, and limited confidentiality/integrity impact constrained by required user interaction and authenticated access.
Technical ContextAI
The vulnerability exists in the courselet feature of Koollab Learning Management System, a web-based educational platform by Three Learning. The XSS is stored (persistent), meaning malicious JavaScript payloads are saved in the application's database and executed whenever authenticated users view the affected courselet content. This is a CWE-79 (Improper Neutralization of Input During Web Page Generation) variant where user-supplied input in courselets is not properly sanitized or encoded before being reflected in HTML responses. The CPE cpe:2.3:a:three_learning:koollab_learning_management_system:*:*:*:*:*:*:*:* indicates the vulnerability affects the core LMS product across versions.
RemediationAI
Contact Three Learning for a patched version of Koollab LMS above 5.3.2 or monitor the CSA alert (https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-042/) for vendor patch release timelines. If a patched version is not immediately available, implement input validation and output encoding on courselet content fields: disable HTML input in courselet descriptions and titles, or employ a strict Content Security Policy (CSP) header with script-src 'self' and nonce-based inline script whitelisting to mitigate stored XSS impact. Additionally, restrict courselet creation/editing permissions to trusted administrator roles and audit courselet modification logs for suspicious payloads. User awareness training on not clicking untrusted courselet links and using browser security extensions (e.g., XSS filters) provides defense-in-depth, though these do not eliminate the underlying vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25170
GHSA-p88x-88cf-mv94