Remote Code Execution (CVE‑2026‑22241) Discovered in GUnet OpenEclass < v4.2 E‑Learning Platform
What Happened — A remote code execution vulnerability (CVE‑2026‑22241) affecting GUnet OpenEclass versions prior to 4.2 was publicly disclosed on Exploit‑DB. An unauthenticated attacker can upload a malicious PHP web‑shell to the theme_data directory and execute arbitrary system commands via a crafted cmd query parameter.
Why It Matters for TPRM —
- OpenEclass is deployed by universities, corporate training programs, and SaaS providers, exposing large user populations.
- RCE can be leveraged to steal credentials, exfiltrate course materials, or pivot to broader network compromise.
- The flaw highlights the importance of verifying third‑party vendors’ patch‑management processes and contractual security obligations.
Who Is Affected — Education institutions, corporate learning & development departments, and any organization that hosts a self‑managed OpenEclass instance.
Recommended Actions —
- Confirm that every OpenEclass deployment runs version 4.2 or later; if not, schedule an immediate upgrade.
- Until patched, block file uploads to the theme_data path and enforce a Web Application Firewall rule that sanitises the
cmdparameter. - Review vendor contracts for explicit security‑patch timelines and include remediation clauses for critical vulnerabilities.
Technical Notes — The vulnerability resides in the file‑upload handling of the theme_data directory. An attacker uploads a PHP payload (e.g., shell.php) and then triggers command execution via https://target/openeclass/courses/theme_data/shell.php?cmd=<command>. No public patch existed at disclosure; the vendor released version 4.2 that resolves the issue. Affected data may include any files on the web server, user credentials, and course content. Source: https://www.exploit-db.com/exploits/52519