Description

Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page. The keyword parameter from $_REQUEST is echoed directly into an HTML href attribute without any encoding or sanitization. An attacker can inject arbitrary HTML/JavaScript by breaking out of the attribute context using ">followed by a malicious payload. The vulnerability is triggered when the pagination controls are rendered — which occurs when the number of session categories exceeds 20 (the page limit). This issue has been patched in version 1.11.36.

INFO

Published Date :

2026-03-16T19:21:15.507Z

Last Modified :

2026-03-16T20:22:42.453Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-30882 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-30882.

URL Resource
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36 cve-icon cve-icon
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qg5f-gq95-9vhq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact