cbcvebase.
CVE-2026-22241
published 2026-01-08

CVE-2026-22241: The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
3.08%
86.0th percentile
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an arbitrary file upload vulnerability in the theme import functionality enables an attacker with administrative privileges to upload arbitrary files on the server's file system. The main cause of the issue is that no validation or sanitization of the file's present inside the zip archive. This leads to remote code execution on the web server. Version 4.2 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
gunetopeneclass< 4.24.2
openeclassopeneclass< 4.14.1

Detection & IOCsextracted from sources · hover to see the quote

path/courses/theme_data/evil.php
filenameevil.php
filenamepoc.zip
url/modules/admin/theme_options.php
commandGET /courses/theme_data/<filename>?cmd=<command>
commandGET /courses/theme_data/<filename>?cmd=rm%20<filename>
  • Detect POST requests to /modules/admin/theme_options.php with a multipart upload containing a ZIP file ('themeFile' field) — this is the upload vector for the malicious ZIP containing a PHP webshell.
  • Alert on any PHP file appearing under the /courses/theme_data/ directory on the web server filesystem, as this is the drop location for the webshell after ZIP extraction.
  • Detect GET requests to /courses/theme_data/*.php containing a 'cmd=' query parameter, indicating webshell command execution.
  • Monitor for ZIP archive uploads to the theme import functionality that contain .php files inside the archive — the vulnerability stems from no validation of files inside the zip archive.
  • Flag POST to /?login_page=1 followed shortly by POST to /modules/admin/theme_options.php with a ZIP upload from the same session — this is the full exploit authentication + upload chain.
  • ·Exploitation requires valid administrative credentials — this is an authenticated RCE, not unauthenticated. Detections should still fire post-auth as admin accounts may be compromised or weak.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.3HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.