Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
Published: 2026-01-08
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from an improper validation of files contained inside the zip archive used for theme imports. An attacker who can authenticate as an administrator can upload a malicious archive that contains executable code, which the web server then places onto the filesystem without restrictions. This allows the attacker to execute arbitrary code on the server. The weakness is classified as CWE‑434, Unrestricted Write to File or Directory.

Affected Systems

Affected systems include the Open eClass course‑management platform distributed by gunet. All releases earlier than version 4.2 are vulnerable; the vendor released a patch v4.2 that corrects the file validation logic. Users running any older release are at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a high-risk flaw, but the EPSS score of less than 1 % suggests a very low chance of public exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need administrative privileges to upload the malicious archive, so the threat is mainly to privileged users or compromised accounts. Despite the low exploitation probability, the impact of remote code execution warrants immediate remediation.

Generated by OpenCVE AI on April 18, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Open eClass installation to version 4.2 or later, which includes the vendor‑provided fix for the file validation issue.
  • Restrict administrative privileges to only those users who truly require theme‑import rights and enforce the principle of least privilege.
  • Implement server‑side file‑type checks for all uploads, ensuring that only safe, non‑executable file formats are accepted and that archives are scanned for malicious content before extraction.

Generated by OpenCVE AI on April 18, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openeclass:openeclass:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
Title Open eClass has Unrestricted File Upload that Leads to Remote Code Execution (RCE)
Weaknesses CWE-434
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-23T18:18:44.253Z

Reserved: 2026-01-07T05:19:12.920Z

Link: CVE-2026-22241

cve-icon Vulnrichment

Updated: 2026-01-20T18:01:06.382Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T15:15:45.720

Modified: 2026-01-23T19:15:54.570

Link: CVE-2026-22241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses