CVE-2026-34161 Overview
CVE-2026-34161 is a Stored Cross-Site Scripting (XSS) vulnerability in Chamilo LMS, an open-source learning management system. The vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin.
Critical Impact
Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim.
Affected Products
- Chamilo LMS versions prior to 2.0.0-RC.3
Discovery Timeline
- April 14, 2026 - CVE-2026-34161 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34161
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The flaw resides in the file upload mechanism for social post attachments, which fails to properly validate or restrict the types of files that can be uploaded and subsequently served to users.
When an authenticated user uploads a file via the /api/social_post_attachments endpoint, the application does not enforce content type restrictions for uploaded files. More critically, when these files are served back to users, the application fails to include appropriate security headers that would prevent browser interpretation of malicious content. The absence of the Content-Disposition: attachment header and proper content type validation allows the browser to render HTML files with embedded JavaScript within the application's trusted origin.
Root Cause
The root cause of this vulnerability is the lack of proper file type validation and sanitization in the file upload functionality. The application accepted arbitrary file types without restriction, and when serving these files back to users, it did not sanitize the content or enforce safe content delivery headers. This allowed attackers to upload HTML files containing malicious JavaScript that would execute when viewed by other users.
Attack Vector
An attacker with valid credentials to the Chamilo LMS platform can exploit this vulnerability by uploading a specially crafted HTML file containing malicious JavaScript through the social post attachment feature. When another user—particularly an administrator—views or accesses the uploaded content, the JavaScript executes within the context of the application's origin, enabling the attacker to steal session cookies, perform actions on behalf of the victim, or escalate privileges.
The fix introduced proper file type restrictions, limiting uploads to images and videos only:
</p>
<input
ref="inputFile"
- :accept="acceptFileType"
+ :accept="accept"
class="hidden"
type="file"
/>
Source: GitHub Commit
Additionally, stricter MIME type validation was implemented in the Vue components:
<BaseFileUpload
:label="t('Add a picture')"
- accept="image"
+ accept="image/*"
size="small"
@file-selected="selectedFile = $event"
/>
<div class="p-field mt-2">
- <label for="groupPermissions">{{ t('Group permissions') }}</label>
+ <label for="groupPermissions">{{ t("Group permissions") }}</label>
<Dropdown
id="groupPermissions"
v-model="editGroupForm.permissions"
Source: GitHub Commit
The patch also includes SVG sanitization to prevent XSS through SVG files:
// This covers files uploaded before the MIME-type allowlist was introduced.
$isSocialAttachment = 'social_post_attachments' === (string) $request->attributes->get('type');
+ // SVG: sanitize before serving in any mode (view or download).
+ // Glide is raster-only and cannot process SVG; sanitization strips embedded scripts regardless of how the file was stored.
+ if ('image/svg+xml' === $mimeType) {
+ $raw = $resourceNodeRepo->getResourceNodeFileContent($resourceNode, $resourceFile);
+ $content = (new SvgSanitizer())->sanitize((string) $raw);
+
+ if (false === $content || '' === $content) {
+ throw new BadRequestHttpException('Invalid SVG file');
+ }
+
+ $response = new Response($content);
+ $dispositionMode = 'download' === $mode
+ ? ResponseHeaderBag::DISPOSITION_ATTACHMENT
+ : ResponseHeaderBag::DISPOSITION_INLINE;
+ $disposition = $response->headers->makeDisposition($dispositionMode, $fileName);
+ $response->headers->set('Content-Disposition', $disposition);
+ $response->headers->set('Content-Type', 'image/svg+xml');
+ $response->headers->set('X-Content-Type-Options', 'nosniff');
+
+ return $response;
+ }
+
switch ($mode) {
case 'download':
$forceDownload = true;
Source: GitHub Commit
Detection Methods for CVE-2026-34161
Indicators of Compromise
- Unusual file uploads to /api/social_post_attachments containing HTML, SVG, or other script-capable file types
- Access logs showing requests to attachment URLs with suspicious .html or .svg file extensions
- Unexpected session activity or privilege changes following user interactions with social post attachments
- Web application firewall (WAF) alerts for JavaScript keywords in uploaded file content
Detection Strategies
- Monitor HTTP POST requests to the /api/social_post_attachments endpoint for non-image/non-video MIME types
- Implement content inspection rules to detect HTML tags and JavaScript within uploaded files
- Review server-side logs for files being served without proper Content-Disposition headers
- Deploy endpoint detection to identify anomalous browser behavior following attachment access
Monitoring Recommendations
- Enable verbose logging for the Chamilo LMS file upload functionality
- Configure alerts for administrative account access patterns that correlate with recent attachment views
- Implement file integrity monitoring on the upload directory to detect suspicious file types
- Monitor for sudden changes in user session tokens or authentication cookies
How to Mitigate CVE-2026-34161
Immediate Actions Required
- Upgrade Chamilo LMS to version 2.0.0-RC.3 or later immediately
- Audit existing uploaded attachments in the social post feature for malicious content
- Review access logs to identify any potential exploitation attempts
- Temporarily disable the social post attachment feature if immediate upgrade is not possible
Patch Information
Chamilo has addressed this vulnerability in version 2.0.0-RC.3. The fix implements proper file type restrictions, allowing only images and videos in social post attachments. Additionally, SVG files are now sanitized before being served to users, and appropriate security headers are enforced. For detailed information, refer to the GitHub Security Advisory GHSA-273p-jw9w-3g22 and the v2.0.0-RC.3 Release.
Workarounds
- Configure web server rules to force Content-Disposition: attachment headers for all files in the upload directory
- Implement a Web Application Firewall (WAF) rule to block uploads containing HTML or JavaScript content
- Restrict file upload permissions to trusted users only until the patch can be applied
- Consider serving user-uploaded content from a separate domain or subdomain to isolate the origin
# Apache configuration to force download disposition for attachment files
<Directory "/path/to/chamilo/uploads/social_attachments">
<FilesMatch "\.(html|htm|svg|xml)$">
Header set Content-Disposition "attachment"
Header set X-Content-Type-Options "nosniff"
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
