CVE-2026-33704 HIGH

CVE-2026-33704: Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint

Vendor Chamilo
Product chamilo-lms
Weakness CWE-434 · Unrestricted file upload
Published April 10, 2026
Last update April 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

What the vulnerability does

01Description

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.

Key dates

02Disclosure timeline

April 10, 2026 CVE published
April 13, 2026 Record updated