CVE-2026-24672
Published: 03 February 2026
Summary
CVE-2026-24672 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Gunet Open Eclass Platform. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24672 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79, in the Open eClass platform (formerly known as GUnet eClass), a complete course management system. It affects versions prior to 4.2, specifically in user profile fields that fail to sanitize input properly, allowing injected JavaScript to persist and execute.
Authenticated students can exploit this vulnerability by injecting malicious JavaScript into their own user profile fields. The payload executes in the browsers of users with viewing privileges when they access affected application pages, potentially leading to high confidentiality and integrity impacts such as session hijacking, data theft, or page manipulation. The CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) indicates network accessibility, low attack complexity, low privileges required, and user interaction needed, with no availability disruption.
The issue has been patched in Open eClass version 4.2. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5237
Vulnerability details
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when…
more
users with viewing privileges access affected application pages. This issue has been patched in version 4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables browser-based session hijacking (T1185) and web session cookie theft (T1539) via injected JavaScript execution in victim browsers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all user-supplied profile fields to block persistent JavaScript injection before storage.
Requires filtering or encoding of profile data on output so that stored malicious scripts are neutralized before execution in viewers' browsers.
Provides integrity verification of user-supplied content that can detect unauthorized script insertion after the fact.