CVE-2026-3007

Vulnerability

Overview

CVE-2026-3007 is a stored cross-site scripting (XSS) vulnerability in Koollab Learning Management System (LMS) version 5.3.2. The flaw resides in the courselet feature, where user-supplied input is not properly sanitized before being stored and later rendered in the browser. This allows an attacker to inject malicious JavaScript code that persists within the application [1].

Exploitation

To exploit this vulnerability, an attacker must have the ability to create or modify courselets within the LMS—typically requiring an authenticated account with instructor or administrative privileges. Once the malicious script is embedded in a courselet, any user who accesses that courselet will execute the script in their browser session. No additional user interaction beyond viewing the courselet is required [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of any user account that has access to the courselet feature. This can lead to session hijacking, theft of sensitive data, defacement of the LMS interface, or further actions such as privilege escalation if the victim has higher permissions. The impact is broad because the stored XSS affects all users who view the compromised courselet [1].

Mitigation

The product owner, Three Learning, has released a security update to address this vulnerability. Users and administrators of Koollab LMS version 5.3.2 are advised to upgrade to version 5.4.0 immediately. No workarounds have been provided, and the vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1].