PT-2026-39712 · Unknown · Open Edx Platform
Ik0Z
·
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-42857
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Open edX Platform (affected versions not specified)
Description
The HTML sanitizer function
clean thread html body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. Because this content is rendered using Django's |safe template filter in email notification templates, an enrolled student can inject arbitrary CSS into emails sent to other users. This can lead to content spoofing, phishing attacks, and email tracking, which may disclose IP addresses.Recommendations
Apply the fix provided in commit cddc25cd791bb78f76833896e4778f668861df12.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Open Edx Platform