CVE-2024-47886
Published: 02 March 2026
Summary
CVE-2024-47886 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.
NVD Description
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows…
more
an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.
Deeper analysisAI
CVE-2024-47886 is a post-authentication PHP Archive (phar) deserialization vulnerability in Chamilo, an open-source learning management system. It affects versions 1.11.12 through 1.11.26 and stems from improper handling of unserialized phar data, classified under CWE-502 (Deserialization of Untrusted Data). The flaw is exploitable by abusing features in the vchamilo virtualization plugin, enabling remote code execution (RCE) on the server, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires authenticated administrator privileges (PR:H), making it a high-privilege issue rather than a zero-day for unauthenticated attackers. A malicious administrator can leverage the vulnerability through supported plugin features to execute arbitrary code remotely on the underlying server, potentially leading to full system compromise, data exfiltration, or further lateral movement.
The issue has been addressed in Chamilo version 1.11.26, as detailed in the project's security advisory (GHSA-c4fc-vjm9-9mvc) and release notes for v1.11.28 on GitHub. Security practitioners should upgrade to the patched version or later and review access controls for administrator accounts in affected deployments.
Details
- CWE(s)