CVE-2026-29041HIGH 8.8EPSS p49.4%

CVE-2026-29041CVE-2026-29041

Description

Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequately validate file extensions or enforce safe server-side storage restrictions. As a result, an authenticated low-privileged user can upload a crafted file containing executable code and subsequently execute arbitrary commands on the server. This issue has been patched in version 1.11.34.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.73% probability of exploitation · percentile 49.4% · 2026-06-18T12:00:27Z
Published2026-03-06
Last modified2026-03-09

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34
  2. https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4pc3-4w2v-vwx8

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32931
CVE
CVE-2026-33704
CVE
CVE-2026-30875
CVE
CVE-2025-50187
CVE
CVE-2025-55208
CVE
CVE-2026-32892
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.