Cross-site scripting in Chamilo LMS - CVE-2026-45143

 

Cross-site scripting in Chamilo LMS - CVE-2026-45143

Published: July 7, 2026


Vulnerability identifier: #VU137016
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45143
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Chamilo
Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and take over the administrator account.

The vulnerability exists due to cross-site scripting in the private message rendering functionality when rendering stored message content with v-html. A remote user can send a specially crafted private message to a specific administrator to execute arbitrary script in an administrator's browser and take over the administrator account.

User interaction is limited to the administrator opening the inbox as part of routine use, with no phishing or link click required.


How to mitigate CVE-2026-45143

Install security update from vendor's website.

Sources