Deserialization Vulnerability in ILIAS e-Learning Software
CVE-2025-11346

5.3MEDIUM

Key Information:

Vendor

ILIAS open source e-Learning e. V.

Status
Ilias
Vendor
CVE Published:
6 October 2025

What is CVE-2025-11346?

A vulnerability exists in ILIAS versions up to 10.1, specifically within the Base64 Decoding Handler's unserialize function. This issue allows for remote manipulation of the f_settings argument, leading to deserialization vulnerabilities. Attackers can exploit this weakness to potentially execute arbitrary code remotely. It is strongly recommended to upgrade to ILIAS versions 8.24, 9.14, or 10.2 to resolve this issue and enhance security.

Affected Version(s)

ILIAS 8.0

ILIAS 8.1

ILIAS 8.2

References

https://vuldb.com/?id.327231
vdb-entrytechnical-description
https://vuldb.com/?ctiid.327231
signaturepermissions-required
https://vuldb.com/?submit.664892
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rehme_srlabs (VulDB User)
JSON
.
CVE-2025-11346 : Deserialization Vulnerability in ILIAS e-Learning Software