CVE-2026-30875HIGH 8.8EPSS p39.7%

CVE-2026-30875CVE-2026-30875

Description

Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation only checks if h5p.json exists but doesn't block .htaccess or PHP files with alternative extensions. An attacker uploads a crafted H5P package containing a webshell and .htaccess that enables PHP execution for .txt files, bypassing security control. This issue has been patched in version 1.11.36.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.52% probability of exploitation · percentile 39.7% · 2026-06-19T12:03:05Z
Published2026-03-16
Last modified2026-03-17

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.36
  2. https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mj4f-8fw2-hrfm

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33704
CVE
CVE-2026-32931
CVE
CVE-2026-29041
CVE
CVE-2026-31939
CVE
CVE-2026-33698
CVE
CVE-2025-50187
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.