CVE-2026-33704

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00	Patch
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

History

16 Apr 2026, 18:34

Type	Values Removed	Values Added
CPE		cpe:2.3:a:chamilo:chamilo_lms::::::::
References	~~() https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 -~~	() https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 - Patch
References	~~() https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v -~~	() https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v - Vendor Advisory
First Time		Chamilo chamilo Lms Chamilo

10 Apr 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-10 19:16

Updated : 2026-04-16 18:34

NVD link : CVE-2026-33704

Mitre link : CVE-2026-33704

CVE.ORG link : CVE-2026-33704

JSON object : View

Products Affected

chamilo

chamilo_lms

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-33704", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-10T19:16:23.480", "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38."}], "lastModified": "2026-04-16T18:34:15.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621", "versionEndExcluding": "1.11.38"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}