CVE-2026-34161

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description A Stored Cross-Site Scripting (XSS) issue exists in the social post attachment upload functionality. An authenticated user can upload a malicious HTML file containing JavaScript via the '/api/social post attachments' endpoint. The application serves the uploaded file through the contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, allowing the JavaScript to execute in the browser within the application origin. This can lead to session hijacking, account takeover, privilege escalation if an administrator views the link, and arbitrary actions performed on behalf of the victim.

Recommendations Update to version 2.0.0-RC.3.