CVE-2026-42857

Published: May 11, 2026

Modified: May 13, 2026

PUBLISHED

CVSS v3.1

4.6

MEDIUM

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

Vendor	Product	Versions
openedx	openedx-platform	affected `< cddc25cd791bb78f76833896e4778f668861df12` affected `>= sumac, < ulmo`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4

x_refsource_CONFIRM

https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-42857

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References