Description
Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36.
Published: 2026-03-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An authenticated user possessing the Teacher role in Chamilo LMS can upload a specially crafted H5P package via the import feature. The package includes a PHP webshell and an .htaccess file that changes PHP execution permissions for .txt files. Because the import logic only verifies the presence of h5p.json and does not validate file types or block potentially executable files, the web server executes the malicious code. This results in full remote code execution on the host, compromising confidentiality, integrity, and availability of the system. The weakness corresponds to CWE-94: Improper Control of Generation of Code through Dynamic Code Generation or Execution.

Affected Systems

All installations of the Chamilo Learning Management System from the vendor chamilo:chamilo-lms that are running any version earlier than 1.11.36 are affected. The impact spans the entire product line, and the CPE string cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* captures the full range of impacted components.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not catalogued in CISA’s KEV list. Exploitation requires an authenticated Teacher user who can access the H5P import feature; no known unauthenticated attack path exists. The attack vector is therefore authenticated, and the attacker must have appropriate role privileges to upload the malicious package.

Generated by OpenCVE AI on March 17, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.36 or later – this is the official fix for the vulnerability.
  • If an upgrade cannot be performed immediately, temporarily disable the H5P import functionality or remove it from the menu for Teacher users.
  • Restrict the Walker of file uploads by allowing only the .h5p MIME type and rejecting files with .php, .htaccess, or alternative extensions.
  • Configure the web server to disallow PHP execution in upload directories and remove .htaccess file handling for uploaded content.

Generated by OpenCVE AI on March 17, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Mon, 16 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36.
Title Chamilo LMS: Authenticated RCE via H5P Import
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T20:22:42.979Z

Reserved: 2026-03-06T00:04:56.699Z

Link: CVE-2026-30875

cve-icon Vulnrichment

Updated: 2026-03-16T20:20:32.838Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:18.330

Modified: 2026-03-17T18:53:29.480

Link: CVE-2026-30875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:53Z

Weaknesses