EUVD-2026-12496
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36.
Analysis
An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Chamilo LMS instances and versions; disable H5P import feature if not operationally critical. Within 7 days: Audit recent H5P uploads and teacher accounts for suspicious activity; implement network-level file upload monitoring. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today