Platform
php
Component
chamilo-lms
Fixed in
1.11.39
2.0.1
CVE-2026-32931 is a Remote Code Execution (RCE) vulnerability affecting Chamilo LMS, a popular learning management system. This flaw allows an authenticated teacher to upload malicious PHP files, potentially granting attackers control over the server. The vulnerability impacts versions 1.11.0 through 2.0.0-RC.3, excluding 1.11.38. A patch is available in version 1.11.38 and 2.0.0-RC.3.
CVE-2026-32931 in Chamilo LMS presents a Remote Code Execution (RCE) vulnerability. An authenticated teacher can exploit this by uploading a PHP webshell through the exercise sound upload function. The attacker spoofs the Content-Type header to appear as audio/mpeg while uploading a PHP script. The file is stored in a web-accessible directory, retaining its .php extension, allowing the attacker to execute code with the web server user's privileges (www-data). This vulnerability has a high severity rating as a successful exploit could grant an attacker complete control over the server, leading to data breaches and system compromise.
This vulnerability is concerning because it requires only authentication as a teacher within Chamilo LMS. A legitimate user with access can be exploited if proper security measures are not in place. Content-Type header spoofing is a common technique used to bypass security checks, and this vulnerability highlights the importance of correctly validating file content types. The impact of exploitation is significant, allowing arbitrary code execution on the server, potentially leading to data loss, service disruption, and reputational damage.
Exploit Status
EPSS
0.18% (39% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later. These versions include a fix that properly validates the content type of uploaded files, preventing the upload of malicious PHP files. Additionally, review and strengthen system security policies, including implementing the principle of least privilege for the web server user. Regular security audits are crucial to identify and mitigate potential vulnerabilities. Monitoring server logs for suspicious activity is also recommended.
Update Chamilo LMS to version 1.11.38 or later, or to version 2.0.0-RC.3 or later. This update corrects the arbitrary file upload vulnerability by only validating the MIME type, which allows for Remote Code Execution (RCE).
Vulnerability analysis and critical alerts directly to your inbox.
Versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to this vulnerability.
Check the version of your Chamilo LMS. If it's older than 1.11.38 or 2.0.0-RC.3, it is vulnerable.
As a temporary measure, restrict access to the exercise sound upload function and monitor server logs for suspicious activity.
Currently, there are no specific tools to detect this vulnerability, but manual security audits can help identify it.
Sensitive data of students, teachers, and administrators, as well as system configuration and server files, could be compromised.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.