Cyber Posture

CVE-2026-33704

High

Published: 10 April 2026

Published
10 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
EPSS Score 0.0026 49.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes…

more

the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of the 'key' parameter and raw POST body content to block unrestricted uploads of dangerous file types like .pht containing PHP code.

AC-6 Least Privilege good match
prevent

Enforces least privilege to prevent low-privilege authenticated users such as students from writing arbitrary files to the server filesystem via the BigUpload endpoint.

SI-2 Flaw Remediation good match
prevent

Mandates flaw remediation including patching to Chamilo LMS 1.11.38, which directly fixes the arbitrary file write vulnerability.

Security SummaryAI

CVE-2026-33704 is an arbitrary file write vulnerability in Chamilo LMS, an open-source learning management system, affecting versions prior to 1.11.38. The issue exists in the BigUpload endpoint, where any authenticated user can specify a filename via the "key" parameter and supply arbitrary content through the raw POST body, which is written directly to the server filesystem. While filenames with .php extensions are sanitized to .phps, the .pht extension passes through unmodified, enabling remote code execution on Apache configurations that interpret .pht files as PHP scripts. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

Any authenticated user, including low-privilege accounts such as students, can exploit this vulnerability remotely with low attack complexity and no user interaction. By uploading a malicious .pht file containing PHP code, an attacker can achieve remote code execution on the server, potentially leading to full server compromise depending on the environment.

The vulnerability is addressed in Chamilo LMS version 1.11.38. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v and the fixing commit at https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00.

Details

CWE(s)
CWE-434

Affected Products

chamilo
chamilo lms
≤ 1.11.38

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via arbitrary file upload, facilitating deployment of .pht web shell for remote code execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References