The Open eClass platform, formerly known as GUnet eClass, is a comprehensive course management system widely used in academic environments. CVE-2026-24672 identifies a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting versions prior to 4.2. This vulnerability allows authenticated students to inject malicious JavaScript code into user profile fields. When other users with viewing privileges access these profiles, the injected scripts execute in their browsers. The vulnerability exploits improper neutralization of input during web page generation, enabling attackers to compromise user sessions, steal credentials, or perform unauthorized actions within the context of the victim's session. The CVSS v3.1 score of 7.3 reflects a high severity, with an attack vector of network, low attack complexity, requiring privileges (authenticated user), and user interaction (viewing the malicious profile). The scope remains unchanged, but the impact on confidentiality and integrity is high, while availability is unaffected. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to affected deployments. The issue was addressed and patched in Open eClass version 4.2, which includes proper input sanitization and output encoding to prevent script injection.

For European organizations, particularly educational institutions that deploy Open eClass, this vulnerability can lead to significant data breaches and unauthorized access. Attackers exploiting this flaw can hijack user sessions, steal sensitive information such as login credentials, or manipulate user actions, undermining trust in the platform. The impact is especially critical in environments handling personal data of students and staff, potentially violating GDPR regulations if exploited. The vulnerability does not affect system availability but compromises confidentiality and integrity, which can disrupt academic operations and damage institutional reputations. Since the attack requires authenticated access, insider threats or compromised accounts increase risk. The lack of known exploits in the wild reduces immediate threat but does not eliminate the risk of targeted attacks. Organizations failing to upgrade remain vulnerable to exploitation, which could lead to widespread compromise in interconnected academic networks across Europe.

European organizations should prioritize upgrading all Open eClass installations to version 4.2 or later to apply the official patch that resolves this XSS vulnerability. Until upgrades are completed, implement strict input validation and output encoding on user profile fields to neutralize malicious scripts. Employ web application firewalls (WAFs) configured to detect and block XSS payloads targeting profile pages. Conduct regular security audits and penetration testing focusing on user-generated content areas. Limit user privileges to the minimum necessary to reduce the risk of malicious input. Educate users about the risks of clicking on suspicious links or profiles. Monitor logs for unusual activities indicative of exploitation attempts. Additionally, enforce multi-factor authentication to reduce the risk of account compromise, which could facilitate exploitation. Finally, ensure compliance with data protection regulations by promptly addressing vulnerabilities and documenting mitigation efforts.