CVE-2026-22241
Unknown Unknown - Not Provided
Arbitrary File Upload in Open eClass Theme Import Enables RCE

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22241
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
gunet openeclass to 4.1 (exc)
gunet openeclass 4.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Open eClass prior to version 4.2 allows an attacker with administrative privileges to upload arbitrary files through the theme import functionality. The issue arises because the system does not validate or sanitize files inside the uploaded ZIP archive, enabling the attacker to include malicious files such as PHP scripts. Once uploaded, these files can be executed on the server, leading to remote code execution. The vulnerability is due to improper handling of ZIP file contents during theme import. [2]

Impact Analysis

Exploiting this vulnerability allows an attacker with admin rights to upload and execute arbitrary code on the web server. This can lead to full compromise of the server, unauthorized access to sensitive data, disruption of services, and potential control over the educational platform's infrastructure. Remote code execution can be used to run system commands, steal data, or further penetrate the network. [2]

Detection Guidance

This vulnerability can be detected by checking for the presence of suspicious PHP files uploaded in the 'courses/theme_data/' directory, especially files that were not part of legitimate theme uploads. You can look for files with PHP extensions in that directory. For example, use the command: `find /path/to/openeclass/courses/theme_data/ -name '*.php'` to list potentially malicious PHP files. Additionally, if you suspect exploitation, you can check web server logs for HTTP requests accessing such files with query parameters like '?cmd='. For example, use: `grep 'courses/theme_data/.*\.php?cmd=' /var/log/apache2/access.log` to find possible command execution attempts. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading Open eClass to version 4.2 or later, where the vulnerability is patched by sanitizing and validating files inside uploaded theme zip archives. If upgrading is not immediately possible, restrict administrative privileges to trusted users only, and monitor the 'courses/theme_data/' directory for unauthorized files. Additionally, enable antivirus scanning on uploaded files if supported, as the patch includes scanning uploads and blocking infected files. Removing any suspicious files found in the theme_data directory and disabling theme import functionality temporarily can also reduce risk. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart