CVE-2026-32931

CVE-2026-32931 is an unrestricted file upload vulnerability in Chamilo LMS, an open-source learning management system. The flaw affects versions prior to 1.11.38 and 2.0.0-RC.3, specifically within the exercise sound upload function. It allows attackers to upload arbitrary files, such as a PHP webshell, by spoofing the Content-Type header to audio/mpeg. Uploaded files retain their original .php extension and are placed in a web-accessible directory, enabling remote code execution as the web server user, typically www-data. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated teacher can exploit this vulnerability remotely. By crafting a request with a spoofed Content-Type header, the attacker uploads a malicious PHP file disguised as an audio file during the exercise sound upload process. Once uploaded to the accessible directory, the file can be executed via a web request, granting remote code execution privileges equivalent to the web server process. The high attack complexity stems from the need for authentication and precise header manipulation, but successful exploitation yields high impacts on confidentiality, integrity, and availability.

Mitigation requires upgrading to Chamilo LMS 1.11.38 or 2.0.0-RC.3, where the vulnerability is fixed. Patch details are documented in GitHub commits https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4 and https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3, with further guidance in the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx. Administrators should review access controls for teacher roles and monitor upload directories for anomalies in the interim.