CVE-2026-31281

HIGH

Totara LMS <=v19.1.5 - HTML Injection

Title source: llm

Description

Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.

Exploits (1)

nomisec WRITEUP

by saykino · poc

https://github.com/saykino/CVE-2026-31281

View Code ZIP pw:eip

References (2)

https://www.totara.com/

https://github.com/saykino/CVE-2026-31281

Scores

CVSS v3 8.0

EPSS 0.0004

EPSS Percentile 12.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Published Apr 13, 2026

Tracked Since Apr 13, 2026