Cross-site scripting in Chamilo LMS - CVE-2026-55503
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in a victim's browser.
The vulnerability exists due to cross-site scripting in the learning path SCORM table of contents renderer when processing a crafted SCORM package item title. A remote user can upload a specially crafted SCORM package to execute arbitrary script in a victim's browser.
User interaction is required when a victim views the learning path, and the vulnerable rendering path is exposed when the AI disclosure feature is disabled.