Cross-site scripting in Chamilo LMS - CVE-2026-39878
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in an administrator's browser session and take over an administrator account.
The vulnerability exists due to cross-site scripting in the user registration form and user list page when processing user-supplied registration data and rendering it in HTML attributes. A remote attacker can submit crafted registration fields to execute arbitrary JavaScript in an administrator's browser session and take over an administrator account.
Self-registration must be enabled, and exploitation is triggered when an administrator visits the user list.