Chamilo LMS, an open-source learning management system, suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-30882 affecting versions 1.11.34 and earlier. The vulnerability exists on the session category listing page, specifically when pagination is triggered due to more than 20 session categories. The root cause is the improper neutralization of user-supplied input in the 'keyword' parameter, which is taken from the $_REQUEST superglobal and directly echoed into an HTML href attribute without any encoding or sanitization. This allows an attacker to inject arbitrary HTML or JavaScript by breaking out of the attribute context using a double quote (") followed by malicious payloads. When a victim clicks a crafted link containing this payload, the malicious script executes in the victim’s browser context, potentially enabling session hijacking, credential theft, or other attacks that compromise user confidentiality and integrity. The vulnerability does not require authentication but does require user interaction to trigger. The scope is limited to Chamilo LMS installations with session categories exceeding 20, which activates the vulnerable pagination control rendering. The vulnerability has been assigned a CVSS 3.1 base score of 6.1 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, and requirement for user interaction. No known exploits are reported in the wild as of the publication date. The issue was addressed in Chamilo LMS version 1.11.36 by properly sanitizing and encoding the 'keyword' parameter before output.

The primary impact of CVE-2026-30882 is on the confidentiality and integrity of users interacting with vulnerable Chamilo LMS instances. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, leading to session hijacking, theft of sensitive information such as authentication tokens, or unauthorized actions performed on behalf of the user. This can undermine trust in the LMS platform, potentially exposing sensitive educational data and user credentials. While the vulnerability does not directly affect system availability, the indirect consequences could include account compromise and unauthorized access to learning resources or administrative functions. Organizations relying on Chamilo LMS for critical educational or training services may face reputational damage and compliance risks if user data is exposed. The requirement for user interaction limits automated exploitation but targeted phishing or social engineering campaigns could increase risk. Since the vulnerability is triggered only when pagination is active (more than 20 session categories), smaller deployments may be less affected, but larger institutions with extensive course catalogs are at higher risk.

To mitigate CVE-2026-30882, organizations should immediately upgrade Chamilo LMS to version 1.11.36 or later, where the vulnerability is patched. If immediate upgrading is not feasible, administrators should implement strict input validation and output encoding on the 'keyword' parameter to prevent injection of malicious characters, especially within HTML attribute contexts. Employing a web application firewall (WAF) with rules to detect and block suspicious payloads targeting the pagination controls can provide temporary protection. Additionally, educating users about the risks of clicking untrusted links and implementing Content Security Policy (CSP) headers can reduce the impact of potential XSS attacks. Regular security audits and penetration testing focusing on input handling and output encoding should be conducted to identify similar vulnerabilities. Monitoring logs for unusual URL parameters or user activity related to session category pages can help detect attempted exploitation.