CVE-2026-30875
Arbitrary File Upload in Chamilo LMS H5P Leads to RCE
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.36 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30875 is a critical vulnerability in Chamilo LMS versions prior to 1.11.36 that allows authenticated users with the Teacher role to perform Remote Code Execution (RCE).
The issue exists in the H5P Import feature, where the system only checks if the h5p.json file is present in an uploaded package but does not block dangerous files such as .htaccess or PHP files with alternative extensions.
An attacker can exploit this by uploading a specially crafted H5P package containing a webshell and a .htaccess file that enables PHP execution for files with a .txt extension, thereby bypassing security controls and allowing arbitrary code execution on the server.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full server compromise under the www-data user.
An attacker exploiting this flaw can execute arbitrary code remotely, potentially gaining control over the server hosting the Chamilo LMS.
This may lead to unauthorized access to sensitive data such as database credentials and other critical information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if your Chamilo LMS instance is running a version prior to 1.11.36 and if the H5P Import feature allows uploading of arbitrary files such as .htaccess or PHP files with alternative extensions.'}, {'type': 'paragraph', 'content': 'You can look for suspicious files uploaded via the H5P Import feature, especially .htaccess files that enable PHP execution for non-standard extensions like .txt, or webshell files disguised within H5P packages.'}, {'type': 'paragraph', 'content': 'Commands to help detect potential exploitation might include searching the web server directories for unexpected .htaccess or PHP-related files, for example:'}, {'type': 'list_item', 'content': 'find /path/to/chamilo/uploads -name ".htaccess"'}, {'type': 'list_item', 'content': 'find /path/to/chamilo/uploads -type f \\( -name "*.php" -o -name "*.php5" -o -name "*.phtml" -o -name "*.txt" \\) -exec grep -l "<?php" {} +'}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for unusual requests to .txt files or other extensions that should not execute PHP code may help identify exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade Chamilo LMS to version 1.11.36 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict the Teacher role's ability to upload H5P packages or disable the H5P Import feature if possible."}, {'type': 'paragraph', 'content': 'Review and remove any suspicious .htaccess or webshell files that may have been uploaded to the server.'}, {'type': 'paragraph', 'content': 'Implement additional server-side restrictions to prevent execution of PHP code in upload directories, such as disabling PHP execution in those directories via web server configuration.'}] [1]