CVE-2026-28228

Name of the Vulnerable Software and Affected Versions OpenOlat versions prior to 19.1.31 OpenOlat versions prior to 20.1.18 OpenOlat versions prior to 20.2.5

Description OpenOlat is a web-based e-learning platform. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role could inject Velocity directives into a reminder email template. When the reminder is processed, the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes, such as java.lang.ProcessBuilder, and execute operating system commands with the privileges of the Tomcat process. The ProcessBuilder class is a Java class used to create operating system processes.

Recommendations Update OpenOlat to version 19.1.31 or later. Update OpenOlat to version 20.1.18 or later. Update OpenOlat to version 20.2.5 or later.