CVE-2026-30882 MEDIUM

CVE-2026-30882: Chamilo LMS: Reflected XSS in the session category listing page

Vendor Chamilo
Product chamilo-lms
Weakness CWE-79 · XSS
Published March 16, 2026
Last update March 16, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript by breaking out of the attribute context using ">followed by a malicious payload. The vulnerability is triggered when the pagination controls are rendered — which occurs when the number of session categories exceeds 20 (the page limit). This issue has been patched in version 1.11.36.

Key dates

02Disclosure timeline

March 16, 2026 CVE published
March 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-66412 Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes CVE-2024-54424 WordPress Like in Vk.com plugin <= 0.5.2 - CSRF to Stored Cross-Site Scripting vulnerability CVE-2024-40873 XSS in Secure Access administrative console CVE-2024-36413 SuiteCRM authenticated Reflected Cross-Site Scripting CVE-2024-3005 LA-Studio Element Kit for Elementor <= 1.3.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via LaStudioKit Post Author Widget