CVE-2026-35404

Name of the Vulnerable Software and Affected Versions Open edX Platform (affected versions not specified)

Description The Open edX Platform allows for the creation and delivery of online learning content. The view survey API endpoint is susceptible to an open redirect issue due to the lack of validation for the redirect url GET parameter. Providing a non-existent survey name results in an unvalidated HTTP 302 redirect to a user-controlled URL. This same unvalidated URL is also included in a hidden form field and returned in a JSON response, where client-side JavaScript then redirects the user to that URL. This can lead to phishing and credential theft attacks against authenticated users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.