Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.
AnalysisAI
HTML Injection in Totara LMS through version 19.1.5 allows authenticated users with low privileges to inject malicious HTML/JavaScript into messages sent to all application users, enabling session hijacking and arbitrary command execution in victims' browsers. A publicly available exploit exists (GitHub POC referenced), though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% indicates very low observed exploitation probability despite the CVSS 8.0 rating, suggesting limited attacker interest or opportunity in real-world environments.
Technical ContextAI
This is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Totara LMS, a learning management system fork of Moodle, fails to properly sanitize HTML content within its messaging system. When an authenticated user crafts a message containing malicious HTML/JavaScript payloads and distributes it through the platform's messaging feature, the application stores and renders this content without adequate encoding or Content Security Policy enforcement. Upon message retrieval, the injected script executes in the context of victim users' browser sessions, providing access to session cookies, CSRF tokens, and DOM manipulation capabilities. The vulnerability affects the messaging module specifically, leveraging the application's trust in content from authenticated internal users.
RemediationAI
No vendor-released patch version is independently confirmed from available data sources at time of analysis. Organizations should consult Totara's official security advisories at https://www.totara.com/ for patch availability and upgrade guidance. As an interim mitigation, implement Content Security Policy headers to restrict inline script execution, enable strict HTML filtering on user-generated content in messaging modules, and review user privilege assignments to limit low-privilege account access to messaging broadcast features. Monitor authentication logs for suspicious messaging activity patterns and consider temporarily restricting broadcast messaging capabilities to trusted administrator accounts until patching is completed. The GitHub POC repository (https://github.com/saykino/CVE-2026-31281) may provide technical details useful for detection signature development but should not be executed in production environments.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21928