CVE-2026-34161 is a stored XSS vulnerability in chamilo-lms prior to version 2.0.0-RC.3. It arises from insufficient input neutralization in the social post attachment upload functionality. An authenticated attacker can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The application returns the uploaded file at a generated contentUrl without sanitizing the content, enforcing content type restrictions, or using a Content-Disposition: attachment header. This allows the embedded JavaScript to execute in the victim's browser within the application's origin, enabling session hijacking, privilege escalation, and other unauthorized actions. The issue is resolved in version 2.0.0-RC.3.

The vulnerability allows authenticated users to upload malicious HTML files that execute JavaScript in the context of the trusted application origin. This can lead to session hijacking, account takeover, privilege escalation (especially if an administrator views the malicious content), and arbitrary actions performed on behalf of the victim. The CVSS 4.0 score is 5.1 (medium severity), reflecting the moderate impact and the requirement for authentication and user interaction.

A fix is available in chamilo-lms version 2.0.0-RC.3. Users and administrators should upgrade to this version or later to remediate the vulnerability. Since no official vendor advisory or patch link is provided, verify the upgrade availability and instructions from the official chamilo project resources. Until upgraded, restrict authenticated user permissions to limit exposure and avoid accessing untrusted uploaded attachments.