CVE-2026-34161 | Chamilo LMS up to 2.0.0-RC.2 social_post_attachments cross site scripting (GHSA-273p-jw9w-3g22)

VDB-357603 · CVE-2026-34161 · GHSA-273P-JW9W-3G22 CHAMILO LMS UP TO 2.0.0-RC.2 SOCIAL_POST_ATTACHMENTS CROSS SITE SCRIPTING HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.4 $0-$5k 1.52+ Summaryinfo A vulnerability, which was classified as problematic, has been found in Chamilo LMS up to 2.0.0-RC.2. This issue affects some unknown processing of the file /api/social_post_attachments. Performing a manipulation results in cross site scripting. This vulnerability was named CVE-2026-34161. The attack may be initiated remotely. There is no available exploit. It is advisable to upgrade the affected component. Detailsinfo A vulnerability was found in Chamilo LMS up to 2.0.0-RC.2. It has been classified as problematic. This affects an unknown functionality of the file /api/social_post_attachments. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is: Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2026-34161 since 03/25/2026. The exploitability is told to be easy. It is possible to initiate the attack remotely. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK. Upgrading to version 2.0.0-RC.3 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 7c4965e48769d1d06413836429e386816a465c7f is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Type Content Management System Vendor Chamilo Name LMS Version 2.0.0-RC.0 2.0.0-RC.1 2.0.0-RC.2 License open-source CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 3.5 VulDB Meta Temp Score: 3.4 VulDB Base Score: 3.5 VulDB Temp Score: 3.4 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Cross site scripting CWE: CWE-79 / CWE-94 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: LMS 2.0.0-RC.3 Patch: 7c4965e48769d1d06413836429e386816a465c7f Timelineinfo 03/25/2026 CVE reserved 04/14/2026 +19 days Advisory disclosed 04/14/2026 +0 days VulDB entry created 04/14/2026 +0 days VulDB entry last update Sourcesinfo Advisory: GHSA-273p-jw9w-3g22 Status: Confirmed CVE: CVE-2026-34161 (🔒) GCVE (CVE): GCVE-0-2026-34161 GCVE (VulDB): GCVE-100-357603 Entryinfo Created: 04/14/2026 23:58 Changes: 04/14/2026 23:58 (72) Complete: 🔍 Cache ID: 99:430:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸