Cross-site scripting in Chamilo LMS - CVE-2026-45143
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in an administrator's browser and take over the administrator account.
The vulnerability exists due to cross-site scripting in the private message rendering functionality when rendering stored message content with v-html. A remote user can send a specially crafted private message to a specific administrator to execute arbitrary script in an administrator's browser and take over the administrator account.
User interaction is limited to the administrator opening the inbox as part of routine use, with no phishing or link click required.