Description
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.
Published: 2026-04-10
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting (XSS) in teacher browsers
Action: Apply Patch
AI Analysis

Impact

The flaw is a reflected cross‑site scripting vulnerability that injects arbitrary JavaScript into the browser of an authenticated teacher when the exercise question list admin panel merges all URL query parameters and outputs them directly into HTML href attributes without proper escaping. This can lead to session hijacking, credential theft, or defacement of the LMS interface. The weakness corresponds to CWE‑79.

Affected Systems

Chamilo LMS, versions earlier than 2.0.0‑RC.3, as identified by the vendor chamilo:chamilo-lms. The issue is fixed in 2.0.0‑RC.3 and later.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. Exploitation requires an authenticated teacher account, so the attacker must first obtain valid credentials. The EPSS score is not available and the vulnerability is not listed in KEV, but the presence of the flaw in a widely deployed LMS gives it a moderate overall risk. Patching or upgrading mitigates the issue entirely.

Generated by OpenCVE AI on April 10, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or later, which resolves the XSS flaw.

Generated by OpenCVE AI on April 10, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.
Title Chamilo LMS has Reflected XSS via Unsanitized http_build_query() in Exercise Question List Pagination
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:51:41.852Z

Reserved: 2026-03-16T21:03:44.422Z

Link: CVE-2026-32893

cve-icon Vulnrichment

Updated: 2026-04-15T14:51:37.366Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:41.953

Modified: 2026-04-17T21:30:03.257

Link: CVE-2026-32893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:01Z

Weaknesses