Skip to main content

Open edX Platform EUVDEUVD-2026-29165

| CVE-2026-42857 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-11 GitHub_M
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 18:47 vuln.today
Analysis Generated
May 11, 2026 - 18:47 vuln.today
CVE Published
May 11, 2026 - 17:32 nvd
MEDIUM 4.6

DescriptionGitHub Advisory

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

AnalysisAI

Stored cross-site scripting (XSS) via CSS injection in Open edX Platform allows enrolled students to inject arbitrary CSS into discussion notification emails sent to other users by bypassing insufficient HTML sanitization in the clean_thread_html_body() function. The vulnerability affects all versions prior to the fix commit and enables email tracking through malicious stylesheets, content spoofing, and phishing attacks against recipients who view notification emails.

Technical ContextAI

The vulnerability exists in the discussion notification email rendering pipeline of Open edX Platform. The clean_thread_html_body() function in lms/djangoapps/discussion/rest_api/discussions_notifications.py is responsible for sanitizing user-generated HTML content from discussion posts before it is rendered in email templates. However, this function fails to remove <style> tags, which are then rendered with Django's |safe template filter in email notification templates. When recipients open the email, the browser interprets the arbitrary CSS, allowing attackers to exploit CSS capabilities such as background-image URLs to exfiltrate IP addresses (via DNS/HTTP requests to attacker-controlled domains), overlay phishing forms using absolute positioning, or perform visual content spoofing. The root cause is incomplete HTML tag stripping (CWE-79: Improper Neutralization of Input During Web Page Generation). The fix (commit cddc25cd791bb78f76833896e4778f668861df12) adds <style> tag decomposition logic alongside content removal to fully eliminate CSS injection vectors.

RemediationAI

Apply the upstream fix by updating Open edX Platform to a patched version that includes commit cddc25cd791bb78f76833896e4778f668861df12 or later. The fix adds <style> tag decomposition to the clean_thread_html_body() function in lms/djangoapps/discussion/rest_api/discussions_notifications.py. If immediate patching is not feasible, implement compensating controls: (1) Disable or restrict the HTML discussion feature in notification emails by rendering discussion content as plain text instead of HTML, which eliminates CSS injection vectors at the rendering layer but may reduce email formatting quality. (2) Implement a Content Security Policy (CSP) header in email clients or email gateway settings that blocks inline styles (style-src 'none'), though this depends on email client support and may not be universally enforced. (3) Audit discussion posts for suspicious <style> tags in the discussion moderation tools and remove flagged posts; this is reactive but identifies active exploitation. (4) Restrict discussion posting privileges to trusted users (instructors, teaching assistants) rather than all enrolled students if pedagogically acceptable, reducing the attacker population. Refer to GitHub commit https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12 for implementation details and test cases.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

EUVD-2026-29165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy