CVE-2026-29041

HIGH

Chamilo <1.11.34 - Authenticated RCE

Title source: llm

Description

Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not adequately validate file extensions or enforce safe server-side storage restrictions. As a result, an authenticated low-privileged user can upload a crafted file containing executable code and subsequently execute arbitrary commands on the server. This issue has been patched in version 1.11.34.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-29041
nomisec WORKING POC
by kx00007 · poc
https://github.com/kx00007/CVE-2026-29041
nomisec WORKING POC
by celeboy711-hue · poc
https://github.com/celeboy711-hue/CVE-2026-29041

References (2)

Scores

CVSS v3 8.8
EPSS 0.0022
EPSS Percentile 44.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-434
Status published
Products (1)
chamilo/chamilo_lms < 1.11.34
Published Mar 06, 2026
Tracked Since Mar 06, 2026