gunet CVE Vulnerabilities & Metrics

Focus on gunet vulnerabilities and metrics.

Last updated: 15 Feb 2026, 23:25 UTC

About gunet Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with gunet. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total gunet CVEs: 20
Earliest CVE date: 19 Aug 2020, 12:15 UTC
Latest CVE date: 03 Feb 2026, 18:16 UTC

Latest CVE reference: CVE-2026-24774

Rolling Stats

30-day Count (Rolling): 18
365-day Count (Rolling): 18

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical gunet CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.43

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	18
4.0-6.9	2
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS gunet CVEs

These are the five CVEs with the highest CVSS scores for gunet, sorted by severity first and recency.

CVE-2021-44266 gunet Published on 11 Jun 2022, 15:15 UTC (CVSS: 4.3)
GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the modules/auth/formuser.php auth parameter.
CVE-2020-24381 gunet Published on 19 Aug 2020, 12:15 UTC (CVSS: 4.3)
GUnet Open eClass Platform (aka openeclass) before 3.11 might allow remote attackers to read students' submitted assessments because it does not ensure that the web server blocks directory listings, and the data directory is inside the web root by default.
CVE-2026-24774 gunet Published on 03 Feb 2026, 18:16 UTC (CVSS: 0)
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2.
CVE-2026-24773 gunet Published on 03 Feb 2026, 18:16 UTC (CVSS: 0)
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2.
CVE-2026-24674 gunet Published on 03 Feb 2026, 18:16 UTC (CVSS: 0)
The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2.

All CVEs for gunet

CVE-2026-24774 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2.

CVE-2026-24773 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2.

CVE-2026-24674 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2.

CVE-2026-24673 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2.

CVE-2026-24672 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2.

CVE-2026-24671 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2.

CVE-2026-24670 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.

CVE-2026-24669 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2.

CVE-2026-24668 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2.

CVE-2026-24667 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2.

CVE-2026-24666 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2.

CVE-2026-24665 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2.

CVE-2026-24664 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2.

CVE-2020-37116 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise.

CVE-2020-37115 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users' usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access.

CVE-2020-37114 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students' uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users' files without proper authorization.

CVE-2020-37113 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature.

CVE-2020-37112 gunet vulnerability CVSS: 0 03 Feb 2026, 18:16 UTC

GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the 'month' parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques.

CVE-2021-44266 gunet vulnerability CVSS: 4.3 11 Jun 2022, 15:15 UTC

GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the modules/auth/formuser.php auth parameter.

CVE-2020-24381 gunet vulnerability CVSS: 4.3 19 Aug 2020, 12:15 UTC

GUnet Open eClass Platform (aka openeclass) before 3.11 might allow remote attackers to read students' submitted assessments because it does not ensure that the web server blocks directory listings, and the data directory is inside the web root by default.