5
CVE-2026-24667 - Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accouβ¦
6.5
CVE-2026-24666 - Open eClass is Vulnerable to CSRF in Teacher-Restricted Endpoints Allows Unauthorized Actions
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such asβ¦
8.7
CVE-2026-24665 - Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) via Student Assignment Upload
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors vβ¦
4.3
CVE-2026-24774 - Open eClass Business Logic Flaw Allows Students to Mark Attendance in Expired Activities
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by β¦
7.5
CVE-2026-24773 - Open eClass Unauthenticated IDOR Allows Access to Arbitrary User Files
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user idβ¦
4.7
CVE-2026-24674 - Open eClass is Vulnerable to Reflected Cross-Site Scripting (XSS) in Multiple Endpoints
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tβ¦
4.3
CVE-2026-24673 - Open eClass Has File Upload Filter Bypass via ZIP Archive Extraction
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the appliβ¦
7.3
CVE-2026-24672 - Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in User Profile Fields
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing β¦
6.1
CVE-2026-24671 - Open eClass is Vulnerable to Stored Cross-Site Scripting (XSS) in Multiple High-Privilege User Fielβ¦
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controlβ¦
6.5
CVE-2026-24670 - Open eClass Has Broken Access Control in Course Units Module Allows Students to Create Units
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patchβ¦