CVE-2026-32931
Published: 10 April 2026
Summary
CVE-2026-32931 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates uploaded files in the exercise sound function beyond spoofable Content-Type headers to block dangerous types like PHP webshells.
Scans uploads for malicious code such as PHP webshells prior to storage in web-accessible directories, preventing or detecting exploitation.
Requires timely patching of the unrestricted file upload flaw as fixed in Chamilo LMS 1.11.38 and 2.0.0-RC.3 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing Chamilo LMS enables exploitation of public-facing application (T1190) and direct deployment/execution of web shells (T1100) for RCE.
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The…
more
uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Deeper analysisAI
CVE-2026-32931 is an unrestricted file upload vulnerability in Chamilo LMS, an open-source learning management system. The flaw affects versions prior to 1.11.38 and 2.0.0-RC.3, specifically within the exercise sound upload function. It allows attackers to upload arbitrary files, such as a PHP webshell, by spoofing the Content-Type header to audio/mpeg. Uploaded files retain their original .php extension and are placed in a web-accessible directory, enabling remote code execution as the web server user, typically www-data. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated teacher can exploit this vulnerability remotely. By crafting a request with a spoofed Content-Type header, the attacker uploads a malicious PHP file disguised as an audio file during the exercise sound upload process. Once uploaded to the accessible directory, the file can be executed via a web request, granting remote code execution privileges equivalent to the web server process. The high attack complexity stems from the need for authentication and precise header manipulation, but successful exploitation yields high impacts on confidentiality, integrity, and availability.
Mitigation requires upgrading to Chamilo LMS 1.11.38 or 2.0.0-RC.3, where the vulnerability is fixed. Patch details are documented in GitHub commits https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4 and https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3, with further guidance in the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx. Administrators should review access controls for teacher roles and monitor upload directories for anomalies in the interim.
Details
- CWE(s)