SB20260424136 - Multiple vulnerabilities in Chamilo LMS
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-32893)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to cross-site scripting in public/main/exercise/question_list_admin.inc.php when generating pagination links from user-supplied GET parameters. A remote user can send a specially crafted request to execute arbitrary JavaScript in a victim's browser.
User interaction is required, and exploitation occurs in an authenticated teacher's browser.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33141)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in the REST API stats endpoint when handling GET requests for user and course statistics. A remote user can request statistics for arbitrary user IDs and course IDs to disclose sensitive information.
The issue affects learning progress, certificates, and gradebook scores, and does not require enrollment or a supervisory relationship to access the requested records.
Remediation
Install update from vendor's website.