Platform
php
Component
openeclass
Fixed in
4.2.1
CVE-2026-24666 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in Open eClass, a comprehensive course management system. This vulnerability allows attackers to trick authenticated teachers into performing actions they didn't intend, potentially leading to unauthorized modifications within the platform. The vulnerability affects versions of Open eClass prior to 4.2, and a patch has been released in version 4.2.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modifications to course content and student data. An attacker could craft malicious requests that, when executed by a logged-in teacher, would alter assignment grades, change course settings, or even create new content. This could disrupt the learning environment, compromise data integrity, and potentially lead to academic dishonesty. The blast radius is limited to users with teacher privileges within the affected Open eClass instance; however, the consequences of unauthorized modifications can be significant.
This vulnerability was publicly disclosed on 2026-02-03. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the nature of CSRF vulnerabilities and the availability of automated tools, exploitation is possible, though currently unconfirmed.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-24666 is to immediately upgrade Open eClass to version 4.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as requiring multi-factor authentication (MFA) for all teacher accounts to add an extra layer of security. Implementing strict Content Security Policy (CSP) headers can also help mitigate CSRF attacks by restricting the sources from which the browser can load resources. After upgrading, confirm the fix by attempting to trigger a grade modification via a crafted CSRF request and verifying that the action is blocked.
Update Open eClass to version 4.2 or higher. This version contains the fix for the CSRF vulnerability. The update can be performed through the administration panel or by downloading the latest version of the software from the official website and following the update instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24666 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Open eClass versions before 4.2, allowing attackers to trick teachers into performing unauthorized actions.
You are affected if you are using Open eClass version 4.2 or earlier. Upgrade to 4.2 to mitigate the risk.
The primary fix is to upgrade Open eClass to version 4.2 or later. Consider MFA and CSP as temporary workarounds if immediate upgrade is not possible.
There is no confirmed active exploitation of CVE-2026-24666 at this time, but the vulnerability is potentially exploitable given its nature.
Refer to the Open eClass security advisories on their official website for the latest information and updates regarding CVE-2026-24666.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.