Unrestricted File Upload Vulnerability in Chamilo LMS by Chamilo
CVE-2026-32931

7.5HIGH

Key Information:

Vendor

Chamilo

Status
Chamilo-lms
Vendor
CVE Published:
10 April 2026

What is CVE-2026-32931?

Chamilo LMS, a popular learning management system, contains an unrestricted file upload vulnerability in the exercise sound upload feature. This flaw allows authenticated users, specifically teachers, to upload malicious PHP files disguised with an audio/mpeg Content-Type header. These files retain their .php extension and are stored in a directory accessible via the web, which can facilitate remote code execution by an attacker under the privileges of the web server user (www-data). The issue has been addressed in versions 1.11.38 and 2.0.0-RC.3.

Affected Version(s)

chamilo-lms < 1.11.38 < 1.11.38

chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3 < 2.0.0-alpha.1, 2.0.0-RC.3

References

https://github.com/chamilo/chamilo-lms/security/advisorie...
x_refsource_CONFIRM
https://github.com/chamilo/chamilo-lms/commit/8cbe660de26...
x_refsource_MISC
https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.