Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

The Open eClass platform, a course management system, is affected by a stored XSS flaw. Prior to version 4.2, authenticated students can upload assignment files that contain malicious JavaScript. When an instructor opens the assignment, the injected script runs in the instructor’s browser, allowing an attacker to execute code within that context. This vulnerability is classified under CWE‑79 and may compromise the confidentiality and integrity of instructor sessions.

Affected Systems

The vulnerable product is Open eClass from the gunet vendor. All releases older than version 4.2, including 4.1 and earlier, are susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, but the EPSS score of less than 1 % suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated student account to upload a crafted assignment, and the impact manifests when an instructor views the file, executing the malicious script in the instructor’s browser.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open eClass to version 4.2 or newer, where the XSS issue has been fixed.
  • If an upgrade cannot be performed, enforce upload filtering to discard any files containing executable scripts or disallow JavaScript content before storage.
  • Apply output sanitization or content escaping to all resources that render uploaded assignment files to instructors’ browsers.

Generated by OpenCVE AI on April 18, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2.
Title Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) via Student Assignment Upload
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:52:00.527Z

Reserved: 2026-01-23T20:40:23.387Z

Link: CVE-2026-24665

cve-icon Vulnrichment

Updated: 2026-02-04T15:54:22.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:19.543

Modified: 2026-02-10T18:48:23.160

Link: CVE-2026-24665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses