CVE-2024-47886

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-47886

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47886.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-47886

Aliases

GHSA-c4fc-vjm9-9mvc

Published

2026-03-02T14:23:50.532Z

Modified

2026-03-03T02:35:21.283263Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Chamilo: Post-Auth Remote Code Execution

Details

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47886.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Git / github.com/chamilo/chamilo-lms

Affected ranges

Type

GIT

Repo

https://github.com/chamilo/chamilo-lms

Events

Introduced

c4cd72d623dcebf1118f427fbbf17f1db7ab276b

Fixed

be38910cccdb7bdbcecabbf41c19052ca5a73a18

Database specific

{
    "versions": [
        {
            "introduced": "1.11.12"
        },
        {
            "fixed": "1.11.28"
        }
    ]
}

Affected versions

v1.*

v1.11.12

v1.11.14

v1.11.14-beta.1

v1.11.18

v1.11.20

v1.11.20-beta.1

v1.11.22

v1.11.22-beta.1

v1.11.22-beta.2

v1.11.24

v1.11.26

v1.11.26-rc.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47886.json"