CVE-2026-42197

Name of the Vulnerable Software and Affected Versions RELATE versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620

Description A stored cross-site scripting issue allows enrolled students to execute arbitrary JavaScript in an administrator's browser session, which could lead to a full admin account takeover. The get user() function in ParticipationAdmin uses mark safe with Python's % string formatting to render user-controlled input, bypassing Django's automatic HTML escaping. The values are derived from the first name and last name fields of the User model, which are editable by authenticated users via the '/profile/' endpoint without sanitization. The script executes when an administrator views the Participation list in the Django admin panel.

Recommendations Update to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.