Chamilo LMS, a widely used open-source learning management system, contains a critical vulnerability identified as CVE-2026-30875, classified under CWE-94 (Improper Control of Generation of Code). The flaw exists in the H5P Import feature prior to version 1.11.36, where the system inadequately validates uploaded H5P packages. Specifically, it only verifies the existence of the h5p.json file but fails to block malicious files such as .htaccess or PHP scripts disguised with alternative extensions. Authenticated users with Teacher privileges can exploit this by uploading a crafted H5P package containing a webshell and a .htaccess file configured to enable PHP execution for files with extensions like .txt. This bypasses the intended security restrictions and allows remote code execution (RCE) on the server hosting Chamilo LMS. The vulnerability requires authentication with Teacher-level access but does not require further user interaction, making exploitation straightforward once access is obtained. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and network attack vector. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the potential for full system compromise. The vendor addressed the issue in version 1.11.36 by improving file validation and blocking unauthorized executable files in H5P packages.

The exploitation of CVE-2026-30875 can lead to full remote code execution on servers running vulnerable versions of Chamilo LMS, compromising the confidentiality, integrity, and availability of the affected systems. Attackers could execute arbitrary commands, deploy malware, steal sensitive educational data, manipulate course content, or pivot to other internal network resources. Given Chamilo LMS's role in managing educational content and user data, such a breach could disrupt academic operations, damage institutional reputations, and lead to data privacy violations. The requirement for Teacher-level authentication limits exposure to some extent but does not eliminate risk, especially in environments with weak access controls or compromised credentials. Organizations relying on Chamilo LMS for critical educational services worldwide could face operational downtime, data breaches, and regulatory consequences if exploited.

Organizations should immediately upgrade Chamilo LMS to version 1.11.36 or later to apply the official patch addressing this vulnerability. Until the upgrade is completed, restrict Teacher role permissions to the minimum necessary, especially limiting access to the H5P Import feature. Implement strict monitoring and logging of file uploads and user activities related to H5P content. Conduct regular audits of uploaded H5P packages to detect suspicious files such as .htaccess or unexpected executable content. Employ web application firewalls (WAFs) with custom rules to block unusual file upload patterns and execution of scripts with non-standard extensions. Additionally, enforce strong authentication controls, including multi-factor authentication for users with elevated privileges, to reduce the risk of credential compromise. Network segmentation and least privilege principles should be applied to limit the impact of potential exploitation. Finally, maintain regular backups of LMS data and configurations to enable rapid recovery in case of compromise.