CVE-2026-30875

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.36

Description Chamilo LMS is a learning management system. A flaw exists in the H5P Import feature that allows authenticated users with the Teacher role to achieve Remote Code Execution (RCE). The system’s validation of H5P packages only confirms the presence of the h5p.json file, failing to block potentially harmful files like .htaccess or PHP files with alternative extensions. An attacker can upload a specially crafted H5P package containing a webshell and a .htaccess file. The .htaccess file enables PHP execution for .txt files, effectively bypassing security controls. The API endpoint involved is the H5P Import feature. The vulnerable component is the H5P package validation process, specifically the function that checks for the h5p.json file. The attacker manipulates the h5p.json file and associated files within the H5P package.

Recommendations Update Chamilo LMS to version 1.11.36 or later.