Home / Vulnerability Intelligence / CVE-2026-30875

CVE-2026-30875 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 17, 2026

Chamilo LMS - Remote Code Execution

Published: March 16, 2026Updated: March 17, 2026Remote Exploitable

Overview

Chamilo LMS < 1.11.36 contains an arbitrary file upload vulnerability in the H5P Import feature caused by insufficient validation of uploaded package files, letting authenticated Teacher users achieve remote code execution by uploading crafted packages with webshell and .htaccess files.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 15.1%(Probability of exploitation in next 30 days)

Impact

Authenticated Teacher users can execute arbitrary code remotely, potentially compromising the entire system.

Mitigation

Update to version 1.11.36 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 16, 2026

🟠 CVE-2026-30875 - High (8.8) Chamilo LMS is a learning management system. Prior to version 1.11.36, an arbitrary file upload vulnerability in the H5P Import feature allows authenticated users with Teacher role to achieve Remote Code Execution (RCE). The H5P package validation... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-30875/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-30875
Severity: High
CVSS Score: 8.8
Type: unrestricted_file_upload
Status: confirmed
EPSS: 15.1%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

15.1%Probability of exploitation in the next 30 days