CVE-2026-32893

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description Chamilo LMS, a learning management system, contains a Reflected Cross-Site Scripting (XSS) issue in the exercise question list admin panel. The vulnerability occurs because the pagination code uses array merge() to combine all $ GET parameters and then outputs the result through http build query() directly into HTML href attributes without proper htmlspecialchars() encoding. This allows an attacker to execute arbitrary JavaScript code in the browser of an authenticated teacher.

Recommendations Update to version 2.0.0-RC.3 or later.