CVE-2026-30875 Overview
CVE-2026-30875 is an arbitrary file upload vulnerability in Chamilo LMS, a widely-used open-source learning management system. The vulnerability exists in the H5P Import feature and allows authenticated users with Teacher role to achieve Remote Code Execution (RCE) on the underlying server. The H5P package validation mechanism only verifies the existence of the h5p.json file but fails to block dangerous file types including .htaccess files and PHP files with alternative extensions. An attacker can exploit this by uploading a crafted H5P package containing a webshell along with an .htaccess file that enables PHP execution for otherwise innocuous file extensions such as .txt, effectively bypassing the application's security controls.
Critical Impact
Authenticated users with Teacher privileges can achieve full Remote Code Execution on the server by exploiting insufficient file upload validation in the H5P Import feature, potentially compromising the entire learning management platform and its data.
Affected Products
- Chamilo LMS versions prior to 1.11.36
Discovery Timeline
- 2026-03-16 - CVE-2026-30875 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-30875
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The flaw resides in how Chamilo LMS processes H5P package imports. H5P is an open-source content collaboration framework designed to create, share, and reuse interactive HTML5 content. When a Teacher uploads an H5P package, the application performs minimal validation—checking only whether the required h5p.json manifest file exists within the archive. This creates a significant security gap as the validation does not inspect or restrict other file types included in the package.
The attack is network-accessible and requires low privileges (Teacher role), making it exploitable by any user with course content creation permissions. Upon successful exploitation, an attacker gains the ability to execute arbitrary code on the server with the privileges of the web server process, leading to potential complete system compromise including access to database credentials, student data, and lateral movement capabilities within the network.
Root Cause
The root cause of CVE-2026-30875 is insufficient file type validation during the H5P package import process. The application's upload handler examines the archive for the presence of h5p.json as a validity check but does not implement a comprehensive file type allowlist or denylist. This oversight allows dangerous files to be included in the uploaded package, including:
- Apache .htaccess files - These server configuration files can override directory-level settings
- PHP files with alternative extensions - Such as .pht, .phtml, or when combined with a permissive .htaccess, even .txt files can be configured to execute as PHP
Attack Vector
The attack follows a multi-stage exploitation pattern leveraging the trusted H5P package format:
- Package Preparation: The attacker creates a malicious H5P archive (ZIP format) containing a valid h5p.json file to pass validation, along with a PHP webshell and a crafted .htaccess file
- Configuration Override: The .htaccess file included in the package contains directives to enable PHP execution for non-standard extensions (e.g., AddHandler application/x-httpd-php .txt)
- Upload and Extraction: When the Teacher uploads the package through the H5P Import feature, the application extracts all contents to a web-accessible directory
- Code Execution: The attacker navigates to the uploaded webshell file, now executable due to the .htaccess configuration, achieving arbitrary command execution
The attack requires authentication with Teacher privileges but does not require any user interaction beyond the initial upload, and the exploitation complexity is low once the attacker has prepared the malicious package.
Detection Methods for CVE-2026-30875
Indicators of Compromise
- Presence of .htaccess files in H5P content directories that were not part of the original application deployment
- Unexpected PHP files or files with suspicious content in the H5P storage path (typically under app/upload/ or similar directories)
- Web server access logs showing requests to unusual file paths within H5P content directories, especially with query parameters or POST data
- Process execution anomalies originating from the web server user account (e.g., www-data, apache)
Detection Strategies
- Monitor file system changes in H5P upload directories for creation of .htaccess files or executable scripts
- Implement web application firewall (WAF) rules to detect and block H5P packages containing suspicious file types
- Review authentication logs for Teacher account activity followed by unusual file access patterns
- Deploy endpoint detection to identify shell spawning from web server processes
Monitoring Recommendations
- Enable verbose logging for file upload operations in Chamilo LMS configuration
- Configure SIEM alerts for file creation events in web-accessible upload directories
- Implement integrity monitoring on critical directories to detect unauthorized configuration file additions
- Monitor outbound network connections from the web server for potential command-and-control communication
How to Mitigate CVE-2026-30875
Immediate Actions Required
- Upgrade Chamilo LMS to version 1.11.36 or later immediately
- Audit existing H5P content directories for suspicious files, particularly .htaccess files and PHP scripts
- Review Teacher account access and revoke unnecessary privileges until the patch is applied
- Consider temporarily disabling the H5P Import feature if patching cannot be performed immediately
Patch Information
The Chamilo development team has addressed this vulnerability in version 1.11.36. The patch implements proper file type validation during H5P package import, blocking dangerous file types including .htaccess and PHP files regardless of extension. Organizations running affected versions should upgrade immediately by obtaining the patched release from the GitHub Release v1.11.36. For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory GHSA-mj4f-8fw2-hrfm.
Workarounds
- Configure the web server to ignore .htaccess files in upload directories by setting AllowOverride None in the Apache virtual host configuration for those paths
- Implement file upload scanning that rejects archives containing .htaccess or PHP-related files at the web server or WAF level
- Restrict Teacher role assignments to only trusted personnel and implement additional approval workflows for content uploads
- Deploy application-level controls to strip or quarantine suspicious files from uploaded H5P packages before extraction
# Apache configuration to disable .htaccess in upload directories
# Add to your virtual host configuration file
<Directory /var/www/chamilo/app/upload>
AllowOverride None
<FilesMatch "\.ph(p|t|tml|ar)$">
Require all denied
</FilesMatch>
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
