CVE-2026-24665

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-03 18:16

Updated : 2026-02-10 18:48

NVD link : CVE-2026-24665

Mitre link : CVE-2026-24665

CVE.ORG link : CVE-2026-24665

JSON object : View

Products Affected

gunet

open_eclass_platform

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-24665", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-03T18:16:19.543", "references": [{"url": "https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2."}, {"lang": "es", "value": "La plataforma Open eClass (anteriormente conocida como GUnet eClass) es un sistema completo de gesti\u00f3n de cursos. Antes de la versi\u00f3n 4.2, una vulnerabilidad de cross-site scripting (XSS) almacenado permite a los estudiantes autenticados inyectar JavaScript malicioso en los archivos de tareas subidos, que se ejecuta cuando los instructores ven la entrega. Este problema ha sido parcheado en la versi\u00f3n 4.2."}], "lastModified": "2026-02-10T18:48:23.160", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gunet:open_eclass_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62F1C084-2C90-4AB3-A13E-28323DC385C0", "versionEndExcluding": "4.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}