EUVD-2026-21555CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3Tags
Description
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.
Analysis
Remote code execution in Chamilo LMS versions prior to 1.11.38 allows authenticated users (including low-privilege students) to upload and execute arbitrary PHP code through the BigUpload endpoint. Attackers exploit insufficient file extension filtering by uploading .pht files containing malicious code, which Apache servers with default .pht handlers execute as PHP. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Chamilo LMS deployments and document current versions; disable the BigUpload endpoint or restrict access to trusted administrators only via web server configuration. Within 7 days: Upgrade to Chamilo LMS version 1.11.38 or later, or implement strict file extension filtering to block .pht, .phtml, .php3, .php4, .php5, and related executable extensions at the upload layer. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today