CVE-2026-42857 (GCVE-0-2026-42857)

Vulnerability from cvelistv5 – Published: 2026-05-11 17:32 – Updated: 2026-05-13 14:40
VLAI
Title
Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization
Summary
Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.
Severity
4.6 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
openedx openedx-platform Affected: < cddc25cd791bb78f76833896e4778f668861df12
Affected: >= sumac, < ulmo
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42857",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T12:50:59.990504Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:40:55.961Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openedx-platform",
          "vendor": "openedx",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c cddc25cd791bb78f76833896e4778f668861df12"
            },
            {
              "status": "affected",
              "version": "\u003e= sumac, \u003c ulmo"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove \u003cstyle\u003e tags from user-generated discussion post content. This content is rendered with Django\u0027s |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T17:32:40.940Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4"
        },
        {
          "name": "https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12"
        }
      ],
      "source": {
        "advisory": "GHSA-4xv3-5j4x-q8g4",
        "discovery": "UNKNOWN"
      },
      "title": "Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42857",
    "datePublished": "2026-05-11T17:32:40.940Z",
    "dateReserved": "2026-04-30T16:44:48.379Z",
    "dateUpdated": "2026-05-13T14:40:55.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42857",
      "date": "2026-05-27",
      "epss": "0.0003",
      "percentile": "0.0909"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42857\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T18:16:36.130\",\"lastModified\":\"2026-05-13T16:16:48.870\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove \u003cstyle\u003e tags from user-generated discussion post content. This content is rendered with Django\u0027s |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openedx:openedx:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2026-04-24\",\"matchCriteriaId\":\"B6A89836-9BC9-44BF-B3FD-D1767F42B02D\"}]}]}],\"references\":[{\"url\":\"https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42857\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T12:50:59.990504Z\"}}}], \"references\": [{\"url\": \"https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T12:51:16.760Z\"}}], \"cna\": {\"title\": \"Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization\", \"source\": {\"advisory\": \"GHSA-4xv3-5j4x-q8g4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"openedx\", \"product\": \"openedx-platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c cddc25cd791bb78f76833896e4778f668861df12\"}, {\"status\": \"affected\", \"version\": \"\u003e= sumac, \u003c ulmo\"}]}], \"references\": [{\"url\": \"https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4\", \"name\": \"https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12\", \"name\": \"https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove \u003cstyle\u003e tags from user-generated discussion post content. This content is rendered with Django\u0027s |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T17:32:40.940Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42857\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T14:40:55.961Z\", \"dateReserved\": \"2026-04-30T16:44:48.379Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-11T17:32:40.940Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.