Main Vulnerability Database Vulnerabilities #VU127554

Arbitrary file upload in Chamilo LMS - CVE-2026-33704

Published: April 24, 2026

Vulnerability identifier: #VU127554

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33704

CWE-ID: CWE-434

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Chamilo

Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote user to write arbitrary files and execute arbitrary code.

The vulnerability exists due to unrestricted upload of file with dangerous type in the BigUpload endpoint when handling crafted upload requests. A remote user can send a specially crafted request to write arbitrary files and execute arbitrary code.

Code execution is possible on Apache configurations where .pht files are handled as PHP. Path traversal is blocked, limiting writes to the cache directory.

How to mitigate CVE-2026-33704

Install security update from vendor's website.

Sources

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v

Arbitrary file upload in Chamilo LMS - CVE-2026-33704

Detailed vulnerability description

How to mitigate CVE-2026-33704

Sources

Please verify you're human