Executive Summary

CVE-2026-30875 is a critical vulnerability in Chamilo LMS versions prior to 1.11.36 that allows authenticated users with the Teacher role to perform Remote Code Execution (RCE).

The issue exists in the H5P Import feature, where the system only checks if the h5p.json file is present in an uploaded package but does not block dangerous files such as .htaccess or PHP files with alternative extensions.

An attacker can exploit this by uploading a specially crafted H5P package containing a webshell and a .htaccess file that enables PHP execution for files with a .txt extension, thereby bypassing security controls and allowing arbitrary code execution on the server.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including full server compromise under the www-data user.

An attacker exploiting this flaw can execute arbitrary code remotely, potentially gaining control over the server hosting the Chamilo LMS.

This may lead to unauthorized access to sensitive data such as database credentials and other critical information.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if your Chamilo LMS instance is running a version prior to 1.11.36 and if the H5P Import feature allows uploading of arbitrary files such as .htaccess or PHP files with alternative extensions.'}, {'type': 'paragraph', 'content': 'You can look for suspicious files uploaded via the H5P Import feature, especially .htaccess files that enable PHP execution for non-standard extensions like .txt, or webshell files disguised within H5P packages.'}, {'type': 'paragraph', 'content': 'Commands to help detect potential exploitation might include searching the web server directories for unexpected .htaccess or PHP-related files, for example:'}, {'type': 'list_item', 'content': 'find /path/to/chamilo/uploads -name ".htaccess"'}, {'type': 'list_item', 'content': 'find /path/to/chamilo/uploads -type f \\( -name "*.php" -o -name "*.php5" -o -name "*.phtml" -o -name "*.txt" \\) -exec grep -l "<?php" {} +'}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for unusual requests to .txt files or other extensions that should not execute PHP code may help identify exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade Chamilo LMS to version 1.11.36 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict the Teacher role's ability to upload H5P packages or disable the H5P Import feature if possible."}, {'type': 'paragraph', 'content': 'Review and remove any suspicious .htaccess or webshell files that may have been uploaded to the server.'}, {'type': 'paragraph', 'content': 'Implement additional server-side restrictions to prevent execution of PHP code in upload directories, such as disabling PHP execution in those directories via web server configuration.'}] [1]

Useful 0 Not Useful 0