SB2026070763 - Multiple vulnerabilities in Chamilo LMS



SB2026070763 - Multiple vulnerabilities in Chamilo LMS

Published: July 7, 2026

Security Bulletin ID SB2026070763
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2026-45143)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and take over the administrator account.

The vulnerability exists due to cross-site scripting in the private message rendering functionality when rendering stored message content with v-html. A remote user can send a specially crafted private message to a specific administrator to execute arbitrary script in an administrator's browser and take over the administrator account.

User interaction is limited to the administrator opening the inbox as part of routine use, with no phishing or link click required.


2) Arbitrary file upload (CVE-ID: N/A)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the course dropbox upload handler when handling file uploads to the dropbox tool. A remote user can upload a crafted .htaccess file and a php payload disguised as a .gif to execute arbitrary code.

Exploitation requires an authenticated course participant account and the dropbox tool to be enabled for the course.


3) Cross-site scripting (CVE-ID: N/A)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in the browser of users who view an injected account.

The vulnerability exists due to cross-site scripting in the update_users action of the AJAX endpoint main/inc/ajax/user_manager.ajax.php when handling attacker-controlled firstname, lastname, and email fields. A remote attacker can submit crafted profile field values to execute arbitrary JavaScript in the browser of users who view an injected account.

The injected content is rendered without HTML escaping on multiple pages, including user_portal.php, the admin user listing, user information, social profile, course participant list, and the message-composer recipient header.


4) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to delete arbitrary files and cause a denial of service.

The vulnerability exists due to improper input validation in the plugin/cleandeletedfiles/src/ajax.php AJAX endpoint when handling path and list parameters. A remote user can send a specially crafted request to delete arbitrary files and cause a denial of service.

The issue is exposed through the cleandeletedfiles plugin and can also be exploited via cross-site request forgery against an administrator session.


5) Cross-site scripting (CVE-ID: CVE-2026-55503)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the learning path SCORM table of contents renderer when processing a crafted SCORM package item title. A remote user can upload a specially crafted SCORM package to execute arbitrary script in a victim's browser.

User interaction is required when a victim views the learning path, and the vulnerable rendering path is exposed when the AI disclosure feature is disabled.


6) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-45142)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to modify another user's SCORM objectives.

The vulnerability exists due to authorization bypass through a user-controlled key in lp_ajax_save_objectives.php when handling requests containing the uid parameter. A remote user can modify the uid parameter in a request to modify another user's SCORM objectives.

No ownership check is performed on the supplied user identifier.


7) Cross-site scripting (CVE-ID: CVE-2026-39878)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary JavaScript in an administrator's browser session and take over an administrator account.

The vulnerability exists due to cross-site scripting in the user registration form and user list page when processing user-supplied registration data and rendering it in HTML attributes. A remote attacker can submit crafted registration fields to execute arbitrary JavaScript in an administrator's browser session and take over an administrator account.

Self-registration must be enabled, and exploitation is triggered when an administrator visits the user list.


8) Improper access control (CVE-ID: CVE-2026-34239)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in main/inc/ajax/lang.ajax.php — translate_portfolio_category when handling requests to the endpoint. A remote user can send a crafted request to execute arbitrary code.

The endpoint is reachable by any authenticated user enrolled in a course, including students, teachers, and DRH users.


Remediation

Install update from vendor's website.