Changeflow GovPing Data Privacy & Cybersecurity Koollab LMS Stored XSS Vulnerability CVE-2026-3007
Priority review Guidance Added Final

Koollab LMS Stored XSS Vulnerability CVE-2026-3007

Favicon for www.csa.gov.sg CSA Alerts & Advisories (Singapore)
Published
Detected
Email

Summary

CSA has assigned CVE-2026-3007 to a stored cross-site scripting (XSS) vulnerability in Koollab Learning Management System version 5.3.2, reported under CSA's Responsible Vulnerability Disclosure Policy. The product owner, Three Learning, has released security update version 5.4.0 to address the flaw. Successful exploitation could allow an attacker to execute arbitrary JavaScript on any user account with access to Koollab LMS' courselet feature.

“Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS' courselet feature.”

CSA , verbatim from source
Published by CSA on csa.gov.sg . Detected, standardized, and enriched by GovPing. Review our methodology and editorial standards .

About this source

GovPing monitors CSA Alerts & Advisories (Singapore) for new data privacy & cybersecurity regulatory changes. Every update since tracking began is archived, classified, and available as free RSS or email alerts — 32 changes logged to date.

View original document View source feed page

What changed

CSA has issued CVE-2026-3007 for a stored XSS vulnerability in Koollab LMS version 5.3.2. The vulnerability affects the courselet feature and could allow an attacker to execute arbitrary JavaScript on any user account with access. Three Learning, the product owner, has released version 5.4.0 as a security update.\n\nOrganisations using Koollab LMS should apply the security update without delay and review access controls for the courselet feature. Administrators should monitor for any signs of exploitation and consider whether user accounts may have been compromised prior to patching.

What to do next

  1. Update to version 5.4.0 immediately

Archived snapshot

Apr 23, 2026

GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.

Alerts

Vulnerability in Koollab Learning Management System (LMS)

23 April 2026

CSA has issued a CVE ID to a vulnerability reported in Koollab LMS as part of CSA’s Responsibility Vulnerability Disclosure Policy. Users and administrators of the affected product version are advised to update to the latest version 5.4.0 immediately.

Background

CSA has issued a CVE ID (CVE-2026-3007) to a vulnerability reported in Koollab LMS. The Product Owner, Three Learning, an e-learning service provider, has released a security update to address it.

Impact

Successful exploitation of the stored cross-site scripting (XSS) vulnerability could allow an attacker to execute arbitrary JavaScript on any user account that has access to Koollab LMS’ courselet feature.

Affected Products

The vulnerability affects Koollab LMS version 5.3.2.

Mitigation

Users and administrators of the affected product version are advised to update to the latest version 5.4.0 immediately.

Special Thanks to:

  • Informer: Mr Justin Ng, CSA
  • Product Owner: Three Learning

Parties

Three Learning

Related changes

Favicon for www.csa.gov.sg Critical Vulnerability in protobuf.js Requires Immediate Update
Urgent Apr 21, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.csa.gov.sg SingCERT Lists Critical, High CVEs from NIST NVD
Routine Apr 22, 2026 CSA Alerts & Advisories (Singapore) Data Privacy & Cybersecurity
Favicon for www.asc.ca Investor Alert: Ramp-and-dump Scam Surge Targeting Investors
Priority review Apr 23, 2026 ASC Alberta News Securities & Markets

Get daily alerts for CSA Alerts & Advisories (Singapore)

Daily digest delivered to your inbox.

Free. Unsubscribe anytime.

Source

Favicon for www.csa.gov.sg
CSA Alerts & Advisories (Singapore) csa.gov.sg/alerts-advisories
Data Privacy & Cybersecurity

About this page

What is GovPing?

Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission

What's from the agency?

Source document text, dates, docket IDs, and authority are extracted directly from CSA.

What's AI-generated?

The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.

Last updated

Press inquiries →

Classification

Agency
CSA
Published
April 23rd, 2026
Instrument
Guidance
Branch
Executive
Legal weight
Non-binding
Stage
Final
Change scope
Substantive

Who this affects

Applies to
Technology companies Educational institutions
Industry sector
5112 Software & Technology
Activity scope
Vulnerability patching Security update deployment User access review
Geographic scope
Singapore SG

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Product Safety Data Privacy

Browse Categories

Agriculture & Food Safety 79 AI Regulation 3 Banking & Finance 474 Consumer Protection 114 Courts & Legal 438 Data Privacy & Cybersecurity 134 Defense & National Security 52 Education 63 Energy 113 Environment 159 Gaming 2 Government & Legislation 462 Healthcare 15 Healthcare & Life Sciences 373 Immigration 11 Insurance 86 Labor & Employment 182 Pharma & Drug Safety 21 Professional Licensing 6 Real Estate & Housing 73 Securities & Markets 169 Tax 104 Telecom & Technology 50 Trade & Sanctions 158 Transportation 111

Get alerts for this source

We'll email you when CSA Alerts & Advisories (Singapore) publishes new changes.

Free. Unsubscribe anytime.

You're subscribed!