Vulnerability Description
Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chamilo | Chamilo Lms | < 1.11.36 |
Related Weaknesses (CWE)
References
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36ProductRelease Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mj4f-8fw2-hrfmVendor Advisory
FAQ
What is CVE-2026-30875?
CVE-2026-30875 is a vulnerability with a CVSS score of 8.8 (HIGH). Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote C...
How severe is CVE-2026-30875?
CVE-2026-30875 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-30875?
Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.