Ilias Ilias

  1. Vendors
  2. Ilias

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Ilias product.

RSS Feeds for Ilias security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Ilias products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Ilias Sorted by Most Security Vulnerabilities since 2018

Ilias36 vulnerabilities

Ilias Learning Management System1 vulnerability

By the Year

In 2026 there have been 2 vulnerabilities in Ilias with an average score of 4.4 out of ten. Last year, in 2025 Ilias had 3 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Ilias in 2026 could surpass last years number. Last year, the average CVE base score was greater by 1.68




Year Vulnerabilities Average Score
2026 2 4.35
2025 3 6.03
2024 5 0.00
2023 8 7.41
2022 5 6.22
2021 2 7.65
2020 2 7.10
2019 1 6.10
2018 9 6.10

It may take a day or so for new Ilias vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Ilias Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-12789 Jun 21, 2026
SQLi in ILIAS LMS 11.0 ilTrQuery::executeQueries A vulnerability was identified in ILIAS Learning Management System 11.0. This issue affects the function ilTrQuery::executeQueries of the file components/ILIAS/Tracking/classes/class.ilTrQuery.php of the component Learning Progress Tracking. Such manipulation of the argument troup_table_nav leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Learning Management System
CVE-2020-36944 Jan 28, 2026
ILIAS LMS 4.3-5.1 SSRF enables LFI via PDF export ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF.
Ilias
CVE-2025-11346 Oct 06, 2025
ILIAS <=8.23/9.13/10.1 Base64 Decoding unserialize deserialization Remote A vulnerability has been found in ILIAS up to 8.23/9.13/10.1. This affects the function unserialize of the component Base64 Decoding Handler. Such manipulation of the argument f_settings leads to deserialization. It is possible to launch the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 is able to mitigate this issue. It is advisable to upgrade the affected component.
Ilias
CVE-2025-11345 Oct 06, 2025
ILIAS Test Import Deserialization via Unserialize (8.23/9.13/10.1) A flaw has been found in ILIAS up to 8.23/9.13/10.1. Affected by this issue is the function unserialize of the component Test Import. This manipulation causes deserialization. It is possible to initiate the attack remotely. Upgrading to version 8.24, 9.14 and 10.2 can resolve this issue. Upgrading the affected component is advised.
Ilias
CVE-2025-11344 Oct 06, 2025
Remote Code Execution in ILIAS Certificate Import Handler <8.24/9.14/10.2 A vulnerability was detected in ILIAS up to 8.23/9.13/10.1. Affected by this vulnerability is an unknown functionality of the component Certificate Import Handler. The manipulation results in Remote Code Execution. The attack may be performed from remote. Upgrading to version 8.24, 9.14 and 10.2 addresses this issue. It is recommended to upgrade the affected component.
Ilias
CVE-2024-33525 May 21, 2024
Stored XSS via XML Import in ILIAS 7.207.29/8.48.10/9.0 (Admin) A Stored Cross-site Scripting (XSS) vulnerability in the "Import of organizational units and title of organizational unit" feature in ILIAS 7.20 to 7.29 and ILIAS 8.4 to 8.10 as well as ILIAS 9.0 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload.
Ilias
CVE-2024-33527 May 21, 2024
ILIAS Stored XSS via XML User Import (before 7.30/8.11) A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Users and login name of user" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload.
Ilias
CVE-2024-33529 May 21, 2024
ILIAS Remote Auth Admin OS Cmd Exec via File Upload pre 7.30/8.11 & 9.0 ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow remote authenticated attackers with administrative privileges to execute operating system commands via file uploads with dangerous types.
Ilias
CVE-2024-33528 May 21, 2024
Stored XSS via XML Upload in ILIAS 7/8 (7.29/8.10) A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with tutor privileges to inject arbitrary web script or HTML via XML file upload.
Ilias
CVE-2024-33526 May 21, 2024
ILIAS XML User Role Import XSS before 7.30/8.11 with Admin Auth A Stored Cross-site Scripting (XSS) vulnerability in the "Import of user role and title of user role" feature in ILIAS 7 before 7.30 and ILIAS 8 before 8.11 allows remote authenticated attackers with administrative privileges to inject arbitrary web script or HTML via XML file upload.
Ilias
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.