Zero Day MonitorZDM

← Back to list

—

CVE-2026-34161PATCHED

chamilo · chamilo-lms

Chamilo LMS: Stored XSS via Malicious File Upload in Social Post Attachments Leads to Arbitrary JavaScript Execution

Description

A vulnerability classified as problematic was found in Chamilo LMS up to 2.0.0-RC.2. This vulnerability affects unknown code of the file /api/social_post_attachments. Such manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-34161. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	< 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-273p-jw9w-3g22(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/7c4965e48769d1d06413836429e386816a465c7f(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/commit/da671d66a146887be3a16eabc5dcf0a92c55f7da(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-34161 | Chamilo LMS up to 2.0.0-RC.2 social_post_attachments cross site scripting (GHSA-273p-jw9w-3g22)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.0.0-RC.3

CWECWE-79

PublishedApr 14, 2026

Last enriched3h agov2

Trending Score27

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34370EXP

Chamilo LMS: IDOR in the Notebook Module allows an attacker to view other users' private notes

CRITICALCVE-2026-34602EXP

Chamilo LMS: IDOR in /api/course_rel_users Allows Unauthorized Enrollment of Arbitrary Users into Courses

CRITICALCVE-2026-35196EXP

Chamilo LMS has OS Command Injection via export_all_certificates action

CRITICALCVE-2026-33714

Chamilo LMS has Authenticated SQL Injection in statistics.ajax.php users_active action (2.0 RC2)

CRITICALCVE-2026-34160

Chamilo LMS: Unauthenticated SSRF via PENS Plugin allows attacker to probe internal network and reach cloud metadata services

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 14, 2026

Patch Available

Apr 14, 2026

Discovered by ZDM

Apr 14, 2026

Updated: severity, patchAvailable, description

Apr 14, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated severity to HIGH, added patch version 2.0.0-RC.3, and provided a new description with additional details.

severitypatchAvailabledescription

via VulDB

v14h ago

Initial creation