CVE-2026-34161
Stored XSS in Chamilo LMS Social Post Attachment Upload
Publication date: 2026-04-14
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in Chamilo LMS versions prior to 2.0.0-RC.3. It occurs in the social post attachment upload feature, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint.
The uploaded malicious file is then served back by the application without proper sanitization, content type restrictions, or a Content-Disposition: attachment header. This causes the JavaScript code to execute in the browser within the trusted origin of the application.
Because the payload is stored server-side and runs in the trusted origin, an attacker can exploit this to perform session hijacking, account takeover, privilege escalation (especially if an admin views the malicious content), and arbitrary actions on behalf of the victim.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts including:
- Session hijacking, allowing attackers to steal user sessions.
- Account takeover, where attackers gain unauthorized access to user accounts.
- Privilege escalation, especially if an administrator views the malicious content, potentially giving attackers higher-level access.
- Execution of arbitrary actions on behalf of the victim user within the application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.
Avoid allowing authenticated users to upload HTML files via the /api/social_post_attachments endpoint until the upgrade is applied.
Implement additional security controls such as sanitizing uploaded content, enforcing content type restrictions, and setting Content-Disposition headers to prevent execution of malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute malicious JavaScript in the context of the application, potentially leading to session hijacking, account takeover, and privilege escalation. Such unauthorized access and actions could result in exposure or misuse of personal or sensitive data.
This kind of security flaw may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure access controls to prevent unauthorized data disclosure or manipulation.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.