CVE-2026-22241
Published: 08 January 2026
Summary
CVE-2026-22241 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Openeclass Openeclass. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Web Shell (T1505.003); ranked in the top 28.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Open eClass platform, formerly known as GUnet eClass, is a course management system affected by an arbitrary file upload vulnerability in its theme import functionality prior to version 4.2. The root cause is missing validation or sanitization of files contained inside uploaded zip archives, which permits placement of arbitrary content on the server file system and results in remote code execution. The issue is tracked as CWE-434 and carries a CVSS 4.0 score of 7.3.
An attacker with administrative privileges can exploit the flaw by importing a specially crafted zip archive through the theme functionality, thereby achieving remote code execution on the underlying web server. No other privileges or user interaction are required for successful exploitation.
The vulnerability is fixed in version 4.2, as documented in the project’s GitHub commit 3f9d267b79812a4dd708bb1302339e6a5abe67d9 and the associated security advisories GHSA-gq72-7mwg-424r and GHSA-rf6j-xgqp-wjxg. Additional technical details are provided in a TwelveSec advisory published shortly after disclosure.
The EPSS score rose from a low baseline to a recorded peak of 0.0146, indicating emerging exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1672
Vulnerability details
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on…
more
the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload with no validation directly enables web shell deployment (T1505.003) for RCE on the web server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of uploaded ZIP archive contents to prevent arbitrary file uploads leading to remote code execution.
Requires timely flaw remediation by applying patches like Open eClass version 4.2 that fix the lack of file validation in theme imports.
Enforces least privilege to limit administrative access to the vulnerable theme import functionality, reducing the number of potential exploiters.