PT-2026-21308 · Unknown · Elfinder Filemanager+1

Published

2026-02-20

Updated

2026-02-20

CVE-2018-25158

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Chamilo LMS version 1.11.8

Description Chamilo LMS version 1.11.8 has an issue that allows authenticated users to upload and execute PHP files. This is possible through the elfinder filemanager module. An attacker can upload files with image headers in the social myfiles section, rename them to PHP extensions, and then execute arbitrary code by accessing these uploaded files. The vulnerable module is elfinder filemanager. The affected area is the 'social myfiles' section.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the elfinder filemanager module to minimize the risk of exploitation.

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2018-25158

Affected Products

Chamilo Lms

Elfinder Filemanager

PT-2026-21308 · Unknown · Elfinder Filemanager+1

CVE-2018-25158

Weakness Enumeration

Related Identifiers

Affected Products

References · 6