CVE-2026-30882

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions 1.11.34 and prior

Description Chamilo LMS is a learning management system that has a Reflected Cross-Site Scripting (XSS) issue in the session category listing page. The keyword parameter from the $ REQUEST array is directly included in an HTML href attribute without proper encoding or sanitization. This allows an attacker to inject arbitrary HTML or JavaScript code by breaking out of the attribute context using "> followed by a malicious payload. The issue is triggered when the pagination controls are rendered, which happens when the number of session categories exceeds 20. The vulnerable parameter is keyword.

Recommendations Versions prior to 1.11.36 are affected. Update to version 1.11.36 or later.