CVE-2026-33704
Published: 10 April 2026
Summary
CVE-2026-33704 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the 'key' parameter and raw POST body content to block unrestricted uploads of dangerous file types like .pht containing PHP code.
Enforces least privilege to prevent low-privilege authenticated users such as students from writing arbitrary files to the server filesystem via the BigUpload endpoint.
Mandates flaw remediation including patching to Chamilo LMS 1.11.38, which directly fixes the arbitrary file write vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) via arbitrary file upload, facilitating deployment of .pht web shell for remote code execution (T1100).
NVD Description
Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes…
more
the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.
Deeper analysisAI
CVE-2026-33704 is an arbitrary file write vulnerability in Chamilo LMS, an open-source learning management system, affecting versions prior to 1.11.38. The issue exists in the BigUpload endpoint, where any authenticated user can specify a filename via the "key" parameter and supply arbitrary content through the raw POST body, which is written directly to the server filesystem. While filenames with .php extensions are sanitized to .phps, the .pht extension passes through unmodified, enabling remote code execution on Apache configurations that interpret .pht files as PHP scripts. The vulnerability is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).
Any authenticated user, including low-privilege accounts such as students, can exploit this vulnerability remotely with low attack complexity and no user interaction. By uploading a malicious .pht file containing PHP code, an attacker can achieve remote code execution on the server, potentially leading to full server compromise depending on the environment.
The vulnerability is addressed in Chamilo LMS version 1.11.38. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v and the fixing commit at https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00.
Details
- CWE(s)