PT-2026-44080 · Unknown · Relate Lms
Emreefedogan
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-47161
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
RELATE versions prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb
Description
RELATE LMS configures its Celery workers to accept and deserialize untrusted pickle data. Pickle is a Python module used for serializing and deserializing objects. An attacker with access to the message broker can execute arbitrary commands on the host server. Due to missing network isolation in the code execution sandbox, an authenticated student can achieve full Remote Code Execution (RCE) on the host system.
Recommendations
Update to the version containing commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb.
Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Relate Lms