Chamilo LMS allows an authenticated teacher to upload a file named with a .php extension to an exercise sound upload endpoint that only validates the MIME type. By setting the Content‑Type header to audio/mpeg, the upload is accepted and the PHP file is stored in a publicly accessible directory. The web server then executes the file as code, giving the attacker the ability to run arbitrary commands as the web server user (www‑data). This results in full compromise of confidentiality, integrity, and availability of the affected application.

The vulnerability affects Chamilo LMS versions prior to 1.11.38 and 2.0.0‑RC.3. Only the Chamilo LMS product is impacted, and the affected deployments include any installations that have not applied the 1.11.38 release or the 2.0.0‑RC.3 release. The issue is present in the exercise sound upload feature accessible by any user with a teacher role.

The CVSS score of 7.5 indicates high severity, and the lack of an EPSS score means the exploit probability is not quantified. The vulnerability is not listed in the CISA KEV catalog. A successful exploitation requires authentication as a teacher and access to the exercise configuration interface, which normally allows file uploads. The attacker can exploit the path by uploading a malicious PHP file, achieving remote code execution on the host server. The risk is significant for organizations that rely on Chamilo LMS for their learning platform and have teacher accounts exposed to potential attackers.