CVE-2026-24665 in Open eClass
Summary
by MITRE • 02/03/2026
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/11/2026
The Open eClass platform represents a comprehensive course management system that has been widely adopted for educational institutions seeking digital learning solutions. This platform facilitates the creation and management of online courses, assignment submissions, and collaborative learning environments. The system serves as a critical infrastructure component for academic institutions, handling sensitive educational data and user interactions between students and instructors. The vulnerability under discussion affects the platform's handling of user-generated content, specifically within the assignment submission functionality that connects students and instructors in educational workflows.
The technical flaw manifests as a stored cross-site scripting vulnerability that exists in the platform's file upload and rendering mechanisms. This vulnerability specifically impacts the assignment submission process where authenticated students can upload files containing malicious javascript code. When instructors subsequently view these submissions, the embedded javascript executes within their browser context, creating a persistent security risk. The flaw occurs because the platform fails to properly sanitize or escape user input before rendering it in the web interface. This stored XSS vulnerability operates through the platform's assignment file handling system, where file content is processed and displayed without adequate security controls to prevent malicious script execution.
The operational impact of this vulnerability extends beyond simple script execution, creating significant risks for educational institutions utilizing the platform. An attacker with student-level access can potentially compromise instructor sessions, steal authentication tokens, redirect users to malicious sites, or extract sensitive information from the platform. The vulnerability undermines the trust model between students and instructors, as it allows malicious actors to exploit the legitimate assignment submission process to gain unauthorized access to instructor accounts. This risk is particularly concerning given that instructors often have elevated privileges and access to confidential student data, course materials, and institutional resources. The stored nature of the vulnerability means that the malicious code persists until manually removed from the platform, creating ongoing exposure for affected institutions.
Mitigation strategies for this vulnerability should include immediate deployment of the patched version 4.2 which addresses the XSS flaw through proper input sanitization and output encoding. Organizations should implement comprehensive security testing procedures including regular vulnerability assessments and code reviews focusing on user input handling. The platform administrators should establish strict file validation policies that prevent execution of potentially malicious content within uploaded assignments. Security controls should include content security policies that limit script execution and implement proper sanitization of all user-generated content before rendering. Additionally, security awareness training for instructors regarding the risks of viewing untrusted assignment submissions can provide additional defense layers. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a typical attack vector that would be catalogued under ATT&CK technique T1059.007 for script execution, demonstrating the importance of proper input validation in web application security.