CVE-2026-33704HIGH 8.8EPSS p33.5%

CVE-2026-33704CVE-2026-33704

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.42% probability of exploitation · percentile 33.5% · 2026-06-19T12:03:05Z
Published2026-04-10
Last modified2026-04-16

Underlying weaknesses· 1

CWE-434

References

  1. https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00
  2. https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v

1

TypeTargetConfidenceTier
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32931
CVE
CVE-2026-30875
CVE
CVE-2026-29041
CVE
CVE-2026-33698
CVE
CVE-2026-31939
CVE
CVE-2026-33618
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.