PT-2026-39712 · Unknown · Open Edx Platform

Ik0Z

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-42857

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Open edX Platform (affected versions not specified)
Description The HTML sanitizer function clean thread html body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. Because this content is rendered using Django's |safe template filter in email notification templates, an enrolled student can inject arbitrary CSS into emails sent to other users. This can lead to content spoofing, phishing attacks, and email tracking, which may disclose IP addresses.
Recommendations Apply the fix provided in commit cddc25cd791bb78f76833896e4778f668861df12.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-42857
GHSA-4XV3-5J4X-Q8G4

Affected Products

Open Edx Platform