How to fix CVE-2024-47886?

Within 24 hours: Audit all Chamilo instances to identify affected versions and document user access patterns. Within 7 days: Implement network segmentation to restrict Chamilo access, disable unnecessary features, and apply WAF rules blocking serialized object exploitation. Within 30 days: Upgrade to patched Chamilo version (1.11.27 or later) or migrate to alternative LMS solution; establish vulnerability monitoring for vendor updates.

Is Deserialization affected by CVE-2024-47886?

Chamilo LMS instances running versions 1.11.12 through 1.11.26 are vulnerable to remote code execution through a post-authentication exploit with no available patch.

CVE-2024-47886

HIGH

2026-03-02 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 03, 2026 - 19:11 vuln.today

Public exploit code

CVE Published

Mar 02, 2026 - 15:16 nvd

HIGH 7.2

Description

Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.

Analysis

Technical Context

Classified as CWE-502 (Deserialization of Untrusted Data). Affects Chamilo Lms. Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. By abusing multiple supported features from the virtualization plugin vchamilo, the vulnerability allows an administrator to execute arbitrary code on the server. This issue has been patched in version 1.11.26.

Affected Products

Vendor: Chamilo. Product: Chamilo Lms.

Remediation

Fixed in version 1.11.26.. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.9

CVSS: +36

POC: +20

CVE-2024-47886 vulnerability details – vuln.today

Back

CVE-2024-47886

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-47886

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code