Skip to main content

CVE-2026-31281

| EUVDEUVD-2026-21928 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-13 mitre
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 17:25 vuln.today
CVSS changed
Apr 14, 2026 - 17:22 NVD
8.0 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 14:45 euvd
EUVD-2026-21928
Analysis Generated
Apr 13, 2026 - 14:45 vuln.today
CVE Published
Apr 13, 2026 - 00:00 nvd
HIGH 8.0

DescriptionCVE.org

Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.

AnalysisAI

HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.

Technical ContextAI

This is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Totara LMS, a learning management system fork of Moodle, fails to properly sanitize HTML content within its messaging system. When an authenticated user crafts a message containing malicious HTML/JavaScript payloads and distributes it through the platform's messaging feature, the application stores and renders this content without adequate encoding or Content Security Policy enforcement. Upon message retrieval, the injected script executes in the context of victim users' browser sessions, providing access to session cookies, CSRF tokens, and DOM manipulation capabilities. The vulnerability affects the messaging module specifically, leveraging the application's trust in content from authenticated internal users.

RemediationAI

No vendor-released patch version is independently confirmed from available data sources at time of analysis. Organizations should consult Totara's official security advisories at https://www.totara.com/ for patch availability and upgrade guidance. As an interim mitigation, implement Content Security Policy headers to restrict inline script execution, enable strict HTML filtering on user-generated content in messaging modules, and review user privilege assignments to limit low-privilege account access to messaging broadcast features. Monitor authentication logs for suspicious messaging activity patterns and consider temporarily restricting broadcast messaging capabilities to trusted administrator accounts until patching is completed. The GitHub POC repository (https://github.com/saykino/CVE-2026-31281) may provide technical details useful for detection signature development but should not be executed in production environments.

Share

CVE-2026-31281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy