CVE-2026-24671 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Open eClass platform, a widely used course management system primarily deployed in academic environments. The vulnerability exists in versions prior to 4.2 and stems from improper neutralization of input during web page generation (CWE-79). Authenticated users with high privileges—such as teachers or administrators—can inject malicious JavaScript code into multiple input fields that are stored and later rendered in web pages viewed by other users. When these pages are accessed, the injected scripts execute in the context of the victim's browser, potentially allowing attackers to steal session tokens, perform actions on behalf of users, or manipulate displayed content. The vulnerability requires the attacker to have authenticated access with elevated privileges and for victims to interact with the affected pages, which limits exploitation scope but still poses a significant risk within the user base. The CVSS 3.1 base score of 6.1 reflects a medium severity, with attack vector being network-based, low attack complexity, high privileges required, and user interaction necessary. The vulnerability does not impact availability but compromises confidentiality and integrity. The issue has been addressed and patched in Open eClass version 4.2. No known public exploits have been reported to date, but the presence of stored XSS in a learning management system used by educational institutions warrants prompt remediation.

For European organizations, particularly educational institutions using Open eClass, this vulnerability could lead to unauthorized disclosure of sensitive information such as user credentials, personal data, or course materials through session hijacking or content manipulation. Attackers with high privileges could inject scripts that compromise the integrity of the platform, misleading users or altering displayed information. While availability is not directly affected, the trustworthiness of the platform could be undermined, impacting user confidence and potentially violating data protection regulations like GDPR if personal data is exposed. The requirement for high-privileged authenticated users to initiate the attack reduces the risk of external exploitation but raises concerns about insider threats or compromised privileged accounts. The impact is heightened in environments with large user bases, including students and staff, where widespread exposure to malicious scripts could occur. Additionally, the educational sector's strategic importance in Europe and the sensitivity of academic data make this vulnerability a notable risk.

Organizations should immediately upgrade Open eClass installations to version 4.2 or later, where the vulnerability has been patched. Until upgrades are completed, restrict high-privileged user access to trusted personnel only and monitor for unusual activity indicative of attempted script injection. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. Conduct regular security training for administrators and teachers to raise awareness about the risks of injecting untrusted content. Employ web application firewalls (WAFs) configured to detect and block XSS payloads targeting known vulnerable input fields. Review and sanitize all user inputs rigorously, even from trusted users, to prevent injection of malicious code. Regularly audit logs for signs of suspicious input or script execution. Finally, ensure that incident response plans include procedures for handling XSS incidents in educational platforms.