What is CVE-2026-33704?

CVE-2026-33704 is a high-severity vulnerability in Chamilo Chamilo-lms, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 7.1/10. Published 2026-04-10.

How severe is CVE-2026-33704?

High severity. CVSS v3 base score is 7.1 out of 10.

Arbitrary file upload in Chamilo Chamilo-lms

CVE-2026-33704

Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw P…

Vulnerability class: Unrestricted File Upload

EPSS: 0.003 (54.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.1 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L.

Affected products

Chamilo Chamilo-lms — versions < 1.11.38

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v (x_refsource_CONFIRM)
https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-33704?: CVE-2026-33704 is a high-severity vulnerability in Chamilo Chamilo-lms, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 7.1/10. Published 2026-04-10.
How severe is CVE-2026-33704?: High severity. CVSS v3 base score is 7.1 out of 10.