Description
Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3.
Published: 2026-04-14
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS with arbitrary JavaScript execution
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in the social post attachment upload feature of Chamilo LMS. When an authenticated user uploads a malicious HTML file to the /api/social_post_attachments endpoint, the application serves the file from the generated contentUrl without any sanitization, content type restrictions, or an attachment header. The JavaScript within the file executes in the victim’s browser as part of the trusted application origin, allowing the attacker to hijack sessions, take over accounts, upgrade privileges if an administrator views the link, and carry out arbitrary actions on behalf of the victim.

Affected Systems

The vulnerability affects all Chamilo Learning Management System installations running a version earlier than 2.0.0‑RC.3, including production deployments where user‑generated attachments are enabled. The issue has been addressed in version 2.0.0‑RC.3 and later.

Risk and Exploitability

The CVSS score is 5.1, indicating moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated user with permission to upload attachments; the attacker must then lure an administrator or another privileged user to the malicious attachment’s URL for the cross‑site scripting payload to execute. Because the vulnerable code runs on the trusted server origin, the impact can be extensive if an admin accesses the link.

Generated by OpenCVE AI on April 14, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 2.0.0‑RC.3 or later, which removes the unsanitized upload handling.
  • If an upgrade is not feasible immediately, restrict attachment uploads to administrative users only and enforce file‑type validation and appropriate content‑disposition headers to prevent execution of embedded scripts.
  • Deploy a Web Application Firewall rule or content‑security‑policy enforcement that blocks inline JavaScript from user‑uploaded content to mitigate the risk until a patch is applied.

Generated by OpenCVE AI on April 14, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3.
Title Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:49:26.172Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34161

cve-icon Vulnrichment

Updated: 2026-04-16T13:49:21.299Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T21:16:26.400

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-34161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:31:57Z

Weaknesses