CVE-2026-29041
Published: 06 March 2026
Summary
CVE-2026-29041 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates comprehensive server-side validation of uploaded files, including extensions and content beyond MIME-type checks, to block crafted executables and prevent RCE.
Requires malicious code protection mechanisms, such as scanning uploaded files at the boundary, to identify and block executable code from low-privileged users.
Ensures timely flaw remediation by applying vendor patches like Chamilo 1.11.34, directly eliminating the improper file validation vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated RCE via inadequate file upload validation in public-facing web application (Chamilo LMS) directly enables exploitation of public-facing applications (T1190) and deployment/execution of web shells for arbitrary command execution (T1505.003).
NVD Description
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and…
more
does not adequately validate file extensions or enforce safe server-side storage restrictions. As a result, an authenticated low-privileged user can upload a crafted file containing executable code and subsequently execute arbitrary commands on the server. This issue has been patched in version 1.11.34.
Deeper analysisAI
CVE-2026-29041 is an authenticated remote code execution vulnerability (CWE-434) affecting Chamilo LMS, an open-source learning management system, in versions prior to 1.11.34. The issue arises from inadequate file upload validation, where the application depends solely on MIME-type checks without properly validating file extensions or imposing safe server-side storage restrictions. This allows malicious files to bypass controls, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and potential for high impact on confidentiality, integrity, and availability.
An authenticated low-privileged user can exploit the vulnerability by uploading a crafted file containing executable code, which they can then trigger to execute arbitrary commands on the server. No user interaction is required beyond authentication, enabling remote exploitation over the network.
The vulnerability has been patched in Chamilo LMS version 1.11.34. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4pc3-4w2v-vwx8.
Details
- CWE(s)