Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-32931EXPLOITED

chamilo · chamilo-lms

Chamilo LMS has Arbitrary File Upload via MIME-Only Validation in Exercise Sound Upload Leads to RCE

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Affected Products

Vendor	Product	Versions
chamilo	chamilo-lms	< 1.11.38, >= 2.0.0-alpha.1, < 2.0.0-RC.3, < 1.11.37, < 2.0.0-RC.2

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx(x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4(x_refsource_MISC)
https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-32931 | Chamilo LMS up to 1.11.37/2.0.0-RC.2 File unrestricted upload

→ No new info (linked only)

CVSS 3.17.5 CRITICAL

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-434

PublishedApr 10, 2026

Last enriched4h agov2

Trending Score49

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33704EXP

Chamilo LMS Affected by Authenticated Arbitrary File Write via BigUpload endpoint

CRITICALCVE-2026-33706EXP

Chamilo LMS has a REST API Self-Privilege Escalation (Student → Teacher)

CRITICALCVE-2026-31939EXP

Path Traversal (Arbitrary File Delete) in Chamilo LMS

CRITICALCVE-2026-32894EXP

Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result

CRITICALCVE-2026-31940EXP

Session Fixation in Chamilo LMS

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Actively Exploited

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 10, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated affected versions to include < 1.11.37 and < 2.0.0-RC.2, changed severity to CRITICAL, and marked as actively exploited.

affectedVersionsseverityactivelyExploited

via VulDB

v14h ago

Initial creation