CVE-2025-65734 - Vulnerability Details

- Authenticated Arbitrary File Upload in gunet Open eClass v3.11 Enables Remote Code Execution via SVG

Description

An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.

Published: 2026-03-16

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated arbitrary file upload vulnerability exists in the Courses/Work Assignments module of gunet Open eClass version 3.11. The flaw allows an attacker with valid login credentials to upload a specially crafted SVG file; when processed, the SVG can trigger arbitrary code execution on the server. This attack vector results in the loss of confidentiality, integrity, and potentially availability, as the attacker can execute malicious commands on the application’s host. The weakness is classified as CWE‑79, indicating improper validation of user‑supplied input.

Affected Systems

The vulnerability affects the gunet Open eClass product, specifically version 3.11. The fix was introduced in version 3.13. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.4 places the vulnerability in the moderate severity range. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. Because the exploit requires authenticated access and the upload of a malicious SVG, it is feasible for an attacker possessing legitimate credentials to carry it out. Given the potential for remote code execution, the risk is significant for organizations running vulnerable versions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Gunet

Open Eclass

80%

Version	Status	Scheme	Platform
`[3.11,3.13)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade gunet Open eClass to version 3.13 or later to eliminate the defect.
If an upgrade is not immediately possible, temporarily disable the Courses/Work Assignments module so that no file uploads can occur.
If the module must remain active, restrict file uploads to non‑executable types and configure the server to forbid executing SVG files.
Continuously monitor upload logs for suspicious activity and apply any additional server‑level restrictions you can deploy.
Check the vendor’s website or security advisories for any additional patches or mitigations.

Generated by OpenCVE AI on March 17, 2026 at 11:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/apostolides
https://huntr.com/bounties/540f743c-fa3e-4be6-9f85-439fff2fc5fe
https://huntr.com/users/apostolides
https://www.linkedin.com/in/thanos-apostolidis-3255591b1/

History

Fri, 17 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openeclass Openeclass openeclass
CPEs		cpe:2.3:a:openeclass:openeclass::::::::
Vendors & Products		Openeclass Openeclass openeclass

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Title		Authenticated Arbitrary File Upload in gunet Open eClass v3.11 Enables Remote Code Execution via SVG

Tue, 17 Mar 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gunet Gunet open Eclass
Vendors & Products		Gunet Gunet open Eclass

Mon, 16 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		An authenticated arbitrary file upload vulnerability in the Courses/Work Assignments module of gunet Open eClass v3.11, and fixed in v3.13, allows attackers to execute arbitrary code via uploading a crafted SVG file.
References		https://github.com/apostolides https://huntr.com/bounties/540f743c-fa3e-4be6-9f85-439fff2fc5fe https://huntr.com/users/apostolides https://www.linkedin.com/in/thanos-apostolidis-3255591b1/

Subscriptions

Gunet Open Eclass

Openeclass Openeclass

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-16T00:00:00.000Z

Updated: 2026-03-16T17:24:36.260Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65734

Vulnrichment

Updated: 2026-03-16T17:24:32.978Z

NVD

Status : Analyzed

Published: 2026-03-16T17:16:28.137

Modified: 2026-04-17T21:01:15.040

Link: CVE-2025-65734

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:00:56Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object