The vulnerability identified as CVE-2026-24674 affects Open eClass, a widely used course management system, formerly known as GUnet eClass. The flaw is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, caused by improper neutralization of user-supplied input during web page generation. Specifically, the application fails to adequately sanitize or encode input parameters that are reflected in HTTP responses, allowing attackers to craft malicious URLs containing JavaScript payloads. When an authenticated user clicks such a URL, the injected script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability does not require the attacker to be authenticated but does require the victim to interact with the malicious link. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, high attack complexity, no privileges required, user interaction required, scope changed, low confidentiality and integrity impact, and no availability impact. The vulnerability was patched in Open eClass version 4.2, and no public exploits have been reported to date. This vulnerability is particularly relevant for institutions relying on Open eClass for online education and course management, where user trust and session integrity are critical.

For European organizations, especially educational institutions and universities using Open eClass versions prior to 4.2, this vulnerability poses a risk of session hijacking and unauthorized actions via malicious JavaScript execution. Attackers could steal sensitive information such as session cookies or personal data, manipulate course content, or perform actions on behalf of authenticated users. Although the impact on availability is none, the confidentiality and integrity of user data and platform operations could be compromised. Given the widespread adoption of Open eClass in Greece and other European countries for e-learning, the threat could disrupt educational activities and erode trust in digital learning environments. The requirement for user interaction limits mass exploitation but targeted phishing campaigns could be effective. The medium CVSS score reflects a moderate risk that should be addressed promptly to avoid potential reputational damage and data breaches.

Organizations should immediately upgrade Open eClass installations to version 4.2 or later, where the vulnerability is patched. Until the upgrade is applied, administrators should implement web application firewall (WAF) rules to detect and block suspicious URL patterns containing script tags or typical XSS payloads. Educate users to avoid clicking on untrusted or suspicious links, especially those received via email or messaging platforms. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit and sanitize all user inputs and URL parameters in custom integrations or plugins. Monitor logs for unusual access patterns or repeated attempts to exploit XSS vectors. Finally, maintain an incident response plan to quickly address any successful exploitation attempts.