CVE-2026-22241
Arbitrary File Upload in Open eClass Theme Import Enables RCE
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gunet | openeclass | to 4.1 (exc) |
| gunet | openeclass | 4.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Open eClass prior to version 4.2 allows an attacker with administrative privileges to upload arbitrary files through the theme import functionality. The issue arises because the system does not validate or sanitize files inside the uploaded ZIP archive, enabling the attacker to include malicious files such as PHP scripts. Once uploaded, these files can be executed on the server, leading to remote code execution. The vulnerability is due to improper handling of ZIP file contents during theme import. [2]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker with admin rights to upload and execute arbitrary code on the web server. This can lead to full compromise of the server, unauthorized access to sensitive data, disruption of services, and potential control over the educational platform's infrastructure. Remote code execution can be used to run system commands, steal data, or further penetrate the network. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of suspicious PHP files uploaded in the 'courses/theme_data/' directory, especially files that were not part of legitimate theme uploads. You can look for files with PHP extensions in that directory. For example, use the command: `find /path/to/openeclass/courses/theme_data/ -name '*.php'` to list potentially malicious PHP files. Additionally, if you suspect exploitation, you can check web server logs for HTTP requests accessing such files with query parameters like '?cmd='. For example, use: `grep 'courses/theme_data/.*\.php?cmd=' /var/log/apache2/access.log` to find possible command execution attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Open eClass to version 4.2 or later, where the vulnerability is patched by sanitizing and validating files inside uploaded theme zip archives. If upgrading is not immediately possible, restrict administrative privileges to trusted users only, and monitor the 'courses/theme_data/' directory for unauthorized files. Additionally, enable antivirus scanning on uploaded files if supported, as the patch includes scanning uploads and blocking infected files. Removing any suspicious files found in the theme_data directory and disabling theme import functionality temporarily can also reduce risk. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.