Cyber Resilience

CVE-2026-22241

HighPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v4 7.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0067 71.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22241 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Openeclass Openeclass. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Open eClass platform, formerly known as GUnet eClass, is a course management system affected by an arbitrary file upload vulnerability in its theme import functionality prior to version 4.2. The root cause is missing validation or sanitization of files contained inside uploaded zip archives, which permits placement of arbitrary content on the server file system and results in remote code execution. The issue is tracked as CWE-434 and carries a CVSS 4.0 score of 7.3.

An attacker with administrative privileges can exploit the flaw by importing a specially crafted zip archive through the theme functionality, thereby achieving remote code execution on the underlying web server. No other privileges or user interaction are required for successful exploitation.

The vulnerability is fixed in version 4.2, as documented in the project’s GitHub commit 3f9d267b79812a4dd708bb1302339e6a5abe67d9 and the associated security advisories GHSA-gq72-7mwg-424r and GHSA-rf6j-xgqp-wjxg. Additional technical details are provided in a TwelveSec advisory published shortly after disclosure.

The EPSS score rose from a low baseline to a recorded peak of 0.0146, indicating emerging exploitation interest after public disclosure.

EU & UK References

Vulnerability details

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on…

more

the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload with no validation directly enables web shell deployment (T1505.003) for RCE on the web server.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23942Shared CWE-434
CVE-2026-4808Shared CWE-434
CVE-2024-56264Shared CWE-434
CVE-2021-35485Shared CWE-434
CVE-2024-56249Shared CWE-434
CVE-2024-55417Shared CWE-434
CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434

Affected Assets

openeclass
openeclass
≤ 4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of uploaded ZIP archive contents to prevent arbitrary file uploads leading to remote code execution.

prevent

Requires timely flaw remediation by applying patches like Open eClass version 4.2 that fix the lack of file validation in theme imports.

prevent

Enforces least privilege to limit administrative access to the vulnerable theme import functionality, reducing the number of potential exploiters.

References