Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
Chamilo Learning Management System: Unsecured Code Execution by Administrator
CVE-2024-47886
Summary
An attacker with administrative access to a Chamilo learning management system can execute arbitrary code on the server. This can happen if the system is running a version of Chamilo between 1.11.12 and 1.11.26. Update Chamilo to version 1.11.26 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| chamilo | chamilo_lms | > 1.11.12 , <= 1.11.26 | – |
Original title
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing m...
Original description
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.
nvd CVSS3.1
7.2
nvd CVSS4.0
8.7
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.28 Product Release Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4fc-vjm9-9mvc Exploit Vendor Advisory
Published: 2 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026