CVE-2026-24672 - Vulnerability Details

- Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields

Description

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2.

Published: 2026-02-03

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw exists in the user profile fields of the Open eClass platform. Authenticated students can inject arbitrary JavaScript that is saved by the system and executed when other users view the affected pages. This can lead to theft of credentials, session hijacking, or defacement of the application, as the injected code runs in the context of the victim’s browser. The weakness is a classic input‑validation defect identified as CWE‑79.

Affected Systems

The vulnerability was present in all releases of Gunet's Open eClass platform older than version 4.2. The issue was addressed in the 4.2 release with a patch that sanitizes profile input and prevents script execution.

Risk and Exploitability

The CVSS score of 7.3 indicates a high overall severity. The EPSS score of less than 1 % suggests that, at the time of this analysis, the likelihood of exploitation is currently very low and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires an authenticated user who can modify profile fields, after which any viewer of that profile could be affected. The high impact combined with a low exploitation probability results in a moderate to high overall risk if the platform receives widespread use without the vendor update.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gunet

openeclass

affected

Version	Status	Constraints
`< 4.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Openeclass	Openeclass	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Open eClass platform to version 4.2 or later to eliminate the stored XSS flaw.
If an upgrade is not immediately possible, restrict or disable the ability of students to edit profile fields to prevent malicious input.
Implement a Content Security Policy that limits script execution to trusted sources, providing a secondary defense against any remaining XSS content.

Generated by OpenCVE AI on April 18, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh

History

Tue, 10 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gunet Gunet open Eclass Platform
CPEs		cpe:2.3:a:gunet:open_eclass_platform::::::::
Vendors & Products		Gunet Gunet open Eclass Platform

Wed, 04 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openeclass Openeclass openeclass
Vendors & Products		Openeclass Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2.
Title		Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields
Weaknesses		CWE-79
References		https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}`

Subscriptions

Gunet Open Eclass Platform

Openeclass Openeclass

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-03T16:56:36.889Z

Updated: 2026-02-04T16:52:30.735Z

Reserved: 2026-01-23T20:40:23.388Z

Link: CVE-2026-24672

Vulnrichment

Updated: 2026-02-04T15:54:24.311Z

NVD

Status : Analyzed

Published: 2026-02-03T18:16:23.870

Modified: 2026-02-10T18:20:55.313

Link: CVE-2026-24672

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T00:30:25Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object