Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload...

7.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.

Basic Information

ID CVE-2026-33704

Source GitHub_M

Published Apr 10, 2026 at 18:30

Affected Product

Vendor chamilo

Product chamilo-lms

Version < 1.11.38

Affected Versions chamilo chamilo-lms < 1.11.38

CWE Classification

CWE-434

References

{
    "lastseen": "",
    "description": "Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.",
    "published": "2026-04-10T18:30:48.478Z",
    "modified": "2026-04-10T18:30:48.478Z",
    "type": "cve",
    "title": "Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint",
    "source": "GitHub_M",
    "references": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v\nhttps://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00",
    "id": "CVE-2026-33704",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "chamilo chamilo-lms < 1.11.38",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "chamilo-lms",
    "version": "< 1.11.38",
    "vendor": "chamilo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint_CVE-2026-33704