Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Chamilo LMS: Authenticated attackers can upload and run malicious files
CVE-2018-25158
Summary
Authenticated users can upload and run PHP files through the file manager in Chamilo Learning Management System. This means attackers can potentially take control of the system and access sensitive data. Update Chamilo LMS to the latest version to fix this issue.
Original title
Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload file...
Original description
Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files.
nvd CVSS3.1
8.8
nvd CVSS4.0
8.7
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026