CVE-2026-24665 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Open eClass platform, a comprehensive course management system widely used in academic environments. The vulnerability exists in versions prior to 4.2 and allows authenticated students to inject malicious JavaScript code into assignment files they upload. When instructors subsequently view these submissions, the injected script executes in their browser context. This improper neutralization of input during web page generation (CWE-79) can lead to significant security risks, including session hijacking, credential theft, or unauthorized actions performed with the instructor's privileges. The attack vector requires the attacker to be an authenticated user (student) and the victim to interact by viewing the malicious content, but no additional user interaction beyond that is necessary. The vulnerability affects confidentiality and integrity but does not impact availability. The issue has been addressed and patched in Open eClass version 4.2, which includes proper input sanitization and output encoding to prevent script injection. Although no known exploits are reported in the wild, the high CVSS score of 8.7 reflects the potential severity of this vulnerability if weaponized. The vulnerability's scope is limited to environments using vulnerable versions of Open eClass, primarily educational institutions relying on this platform for course management and assignment submission.

For European organizations, particularly educational institutions using Open eClass versions prior to 4.2, this vulnerability poses a significant risk. Successful exploitation could allow malicious students to execute arbitrary JavaScript in instructors' browsers, potentially leading to session hijacking, unauthorized access to sensitive academic data, manipulation of grading or course content, and exposure of instructor credentials. This undermines the confidentiality and integrity of academic records and communications. The impact extends to reputational damage and possible regulatory compliance issues under GDPR if personal data is compromised. Since the platform is used for managing coursework and assessments, disruption or manipulation could affect academic integrity and operational continuity. The requirement for authenticated access limits the attack surface but does not eliminate risk, as students inherently have access to upload assignments. The lack of availability impact means systems remain operational but compromised in trustworthiness. European institutions with large user bases and reliance on Open eClass are particularly vulnerable to targeted attacks exploiting this flaw.

The primary and most effective mitigation is to upgrade all Open eClass installations to version 4.2 or later, where this vulnerability has been patched. Organizations should enforce strict access controls to limit assignment upload permissions to authenticated and verified students only. Implementing robust input validation and output encoding on all user-generated content, especially uploaded files and their metadata, is critical to prevent script injection. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate instructors and administrators about the risk of viewing untrusted content and encourage the use of updated browsers with security features enabled. Regularly audit and monitor logs for suspicious activity related to assignment submissions and instructor session anomalies. If upgrading immediately is not feasible, consider isolating the assignment viewing interface or using sandboxed environments to limit script execution impact. Finally, maintain an incident response plan to quickly address any suspected exploitation.