Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2.
Published: 2026-02-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Upload – Potential for Execution
Action: Apply Patch
AI Analysis

Impact

An upload validation bypass allows attackers to embed disallowed file types inside a ZIP archive that the application automatically extracts, enabling the storage of arbitrary files on the server. This flaw (CWE‑434) permits files that would normally be rejected by the upload filter to reach the file system and potentially be executed or accessed, leading to data disclosure or platform compromise.

Affected Systems

The Open eClass course management system, produced by gunet, is affected up to version 4.1. The issue is fixed in version 4.2. Users running earlier releases are vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, while the EPSS score of below 1% suggests low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to control the upload interface, create a ZIP with a prohibited file, and initiate the upload; no network access beyond the application layer is required.

Generated by OpenCVE AI on April 18, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open eClass to version 4.2 or later to apply the vendor patch.
  • Disable automatic extraction of ZIP archives during file uploads if updating to 4.2 is not yet possible.
  • Restrict uploaded ZIP contents by enforcing strict file type validation, rejecting prohibited extensions even after extraction.
  • Monitor upload logs for anomalous ZIP file uploads that may indicate attempted exploitation.

Generated by OpenCVE AI on April 18, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Gunet
Gunet open Eclass Platform
CPEs cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*
Vendors & Products Gunet
Gunet open Eclass Platform

Wed, 04 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Openeclass
Openeclass openeclass
Vendors & Products Openeclass
Openeclass openeclass

Tue, 03 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2.
Title Open eClass Has File Upload Filter Bypass via ZIP Archive Extraction
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Gunet Open Eclass Platform
Openeclass Openeclass
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T16:52:24.978Z

Reserved: 2026-01-23T20:40:23.388Z

Link: CVE-2026-24673

cve-icon Vulnrichment

Updated: 2026-02-04T15:46:37.367Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T18:16:24.023

Modified: 2026-02-10T17:32:26.703

Link: CVE-2026-24673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses