CVE-2026-24665 Overview
CVE-2026-24665 is a stored Cross-Site Scripting (XSS) vulnerability in the Open eClass platform, formerly known as GUnet eClass. The flaw affects all versions prior to 4.2. Authenticated students can inject malicious JavaScript into uploaded assignment files. The payload executes when an instructor views the submission, running in the instructor's browser context. The vendor patched the issue in version 4.2.
Critical Impact
Authenticated students can execute arbitrary JavaScript in instructor browser sessions, enabling session theft, credential harvesting, and unauthorized actions performed under instructor privileges.
Affected Products
- GUnet Open eClass Platform versions prior to 4.2
- Course management deployments using vulnerable assignment submission handlers
- All instructor-facing submission review interfaces in pre-4.2 builds
Discovery Timeline
- 2026-02-03 - CVE-2026-24665 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2026-24665
Vulnerability Analysis
The vulnerability is a stored XSS issue classified under [CWE-79], Improper Neutralization of Input During Web Page Generation. Open eClass accepts assignment file uploads from authenticated students. The platform fails to sanitize or encode file content before rendering it to instructors during submission review. When an instructor opens the malicious submission, the embedded JavaScript executes in the instructor's authenticated browser session. The scope change in the CVSS vector indicates the payload affects resources beyond the attacker's own security context, specifically the instructor's session.
Root Cause
The root cause is missing output encoding on assignment submission content rendered to instructors. The application treats uploaded file content as trusted display data rather than untrusted user input. Standard XSS defenses such as contextual HTML escaping or Content Security Policy enforcement are absent in the affected code path.
Attack Vector
An attacker requires a valid student account on the target Open eClass instance. The student uploads an assignment file containing crafted HTML or JavaScript payloads. When the instructor reviews the submission, the browser parses and executes the embedded script. The attacker can steal session cookies, perform actions as the instructor, modify grades, or pivot to other course resources. User interaction by the instructor is required, which constrains automated mass exploitation.
No verified proof-of-concept code is available. See the GitHub Security Advisory GHSA-2qgm-m7fm-m888 for vendor technical details.
Detection Methods for CVE-2026-24665
Indicators of Compromise
- Assignment submission files containing <script> tags, javascript: URIs, or HTML event handlers such as onerror and onload
- Unexpected outbound requests from instructor browsers to attacker-controlled domains shortly after viewing submissions
- Anomalous grade modifications or course content changes attributed to instructor accounts without corresponding login activity
Detection Strategies
- Scan stored assignment uploads for HTML tags, JavaScript keywords, and encoded script payloads using server-side content inspection
- Review web server access logs for instructor sessions performing administrative actions immediately after /modules/work/ submission views
- Correlate browser telemetry with Open eClass session activity to identify script execution in instructor contexts
Monitoring Recommendations
- Enable verbose application logging for the assignment submission and review modules
- Monitor for spikes in failed Content Security Policy violation reports if CSP is enforced
- Track instructor account behavior for actions inconsistent with typical workflows, such as bulk grade changes or account modifications
How to Mitigate CVE-2026-24665
Immediate Actions Required
- Upgrade all Open eClass deployments to version 4.2 or later without delay
- Audit recent assignment submissions for malicious HTML or JavaScript content prior to instructor review
- Reset instructor session tokens and rotate credentials if compromise is suspected
Patch Information
GUnet released the fix in Open eClass version 4.2. Administrators should follow the upgrade procedure documented in the GitHub Security Advisory GHSA-2qgm-m7fm-m888. Verify the installed version after upgrade by checking the platform configuration files.
Workarounds
- Restrict assignment uploads to non-renderable file formats such as PDF until the upgrade is applied
- Deploy a strict Content Security Policy that blocks inline script execution on instructor pages
- Instruct faculty to download submissions and review them outside the browser rendering context
# Verify Open eClass version after upgrade
grep -r "ECLASS_VERSION" /var/www/openeclass/include/baseTheme.php
# Example CSP header for the web server configuration
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
