CVE-2026-42857
MEDIUMOpen edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization
Title source: cnaDescription
Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4
X_Refsource_Misc x_refsource_misc
https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12
Scores
CVSS v3
4.6
EPSS
0.0021
EPSS Percentile
11.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (3)
openedx/openedx
< 2026-04-24
openedx/openedx-platform
< cddc25cd791bb78f76833896e4778f668861df12
openedx/openedx-platform
>= sumac, < ulmo
Published
May 11, 2026
Tracked Since
May 11, 2026