CVE-2026-30875: Chamilo LMS RCE — Patch Guide

Overview

A high-severity security vulnerability has been identified in Chamilo LMS, a popular open-source learning management system. Tracked as CVE-2026-30875, this flaw is an arbitrary file upload vulnerability that could allow an attacker to take full control of an affected server.

Vulnerability Details

In Chamilo LMS versions prior to 1.11.36, the system’s H5P content import feature contains insufficient security checks. While the feature validates the presence of a required h5p.json file, it fails to properly screen other file types within the uploaded package.

An authenticated user with the “Teacher” role can exploit this by creating a malicious H5P package. This package can contain a webshell (a malicious script that provides remote access) disguised with a .txt extension, along with a .htaccess configuration file. The .htaccess file can be configured to force the server to execute .txt files as PHP code, thereby bypassing the system’s intended security controls. This leads directly to Remote Code Execution (RCE).

Potential Impact

The impact of this vulnerability is severe. Successful exploitation allows an attacker to execute arbitrary commands on the underlying server with the permissions of the web server process. This could lead to:

• Complete compromise of the Chamilo application and its data.
• Theft of sensitive student and course information.
• Installation of persistent backdoors or malware.
• Use of the server as a launch point for attacks on other internal systems.

For organizations, this could result in significant data breaches, operational disruption, and compliance violations. You can review historical incidents to understand the real-world impact of such vulnerabilities in our breach reports.

Remediation and Mitigation

The primary and most critical action is to update your Chamilo LMS installation immediately.

1. Immediate Patching:

• Upgrade Chamilo LMS to version 1.11.36 or later. This version contains the necessary patches to properly validate H5P package contents and prevent this exploit.

2. Temporary Mitigation (If Patching is Delayed):

• If an immediate update is not possible, consider restricting or disabling the H5P import functionality for Teacher roles until the patch can be applied.
• Review server logs for any suspicious file upload activity or unexpected .htaccess files in the H5P directories.
• Ensure your web server and PHP configurations follow security best practices.

3. General Security Hygiene:

• Adhere to the principle of least privilege. Regularly audit user roles and ensure only necessary personnel have elevated permissions like “Teacher.”
• Keep all software components, including the underlying operating system and web server, up to date.

Staying informed about such threats is crucial for maintaining a strong security posture. For the latest updates on vulnerabilities and patches, follow our security news section. Administrators who have not yet applied the patch should treat this as a high-priority task to prevent potential system compromise.