Cyber Posture

CVE-2026-29041

High

Published: 06 March 2026

Published
06 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and…

more

does not adequately validate file extensions or enforce safe server-side storage restrictions. As a result, an authenticated low-privileged user can upload a crafted file containing executable code and subsequently execute arbitrary commands on the server. This issue has been patched in version 1.11.34.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mandates comprehensive server-side validation of uploaded files, including extensions and content beyond MIME-type checks, to block crafted executables and prevent RCE.

SI-3 Malicious Code Protection good match
preventdetect

Requires malicious code protection mechanisms, such as scanning uploaded files at the boundary, to identify and block executable code from low-privileged users.

SI-2 Flaw Remediation good match
prevent

Ensures timely flaw remediation by applying vendor patches like Chamilo 1.11.34, directly eliminating the improper file validation vulnerability.

Security SummaryAI

CVE-2026-29041 is an authenticated remote code execution vulnerability (CWE-434) affecting Chamilo LMS, an open-source learning management system, in versions prior to 1.11.34. The issue arises from inadequate file upload validation, where the application depends solely on MIME-type checks without properly validating file extensions or imposing safe server-side storage restrictions. This allows malicious files to bypass controls, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.

An authenticated low-privileged user can exploit the vulnerability by uploading a crafted file containing executable code, which they can then trigger to execute arbitrary commands on the server. No user interaction is required beyond authentication, enabling remote exploitation over the network.

The vulnerability has been patched in Chamilo LMS version 1.11.34. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4pc3-4w2v-vwx8.

Details

CWE(s)
CWE-434

Affected Products

chamilo
chamilo lms
≤ 1.11.34

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Authenticated RCE via inadequate file upload validation in public-facing web application (Chamilo LMS) directly enables exploitation of public-facing applications (T1190) and deployment/execution of web shells for arbitrary command execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References