Description
Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.
Published: 2026-04-13
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting allowing session hijacking and client‑side command execution
Action: Immediate Update
AI Analysis

Impact

In Totara Learning Management System version 19.1.5 and earlier, the in‑app messaging client accepts user‑supplied HTML without fully sanitizing it, enabling an attacker to embed malicious tags in a message. When recipients view the message, the code runs in their browser, leading to Cross‑Site Scripting, session hijacking, and possible client‑side command execution. The weakness is a classic XSS, classified as CWE‑79.

Affected Systems

All installations of Totara LMS running version 19.1.5 or older, regardless of deployment environment, are affected, as the flaw resides in the core messaging module.

Risk and Exploitability

The CVSS score of 8.0 reflects high impact, while the EPSS score indicates a low exploitation probability (< 1 %). The vulnerability is not listed in CISA’s KEV catalogue. Based on the description, it is inferred that the attack requires an authenticated user with permission to post messages, as the attacker must embed malicious HTML in a message that is then distributed to all users. Once a recipient opens the message, the payload executes in their browser, enabling session hijack and client‑side command execution.

Generated by OpenCVE AI on April 28, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Totara LMS release that removes the HTML injection flaw in the messaging client.
  • If a patch cannot be applied immediately, block or restrict the ability for users to post raw HTML in messages, or enforce stricter sanitization on message input.
  • Verify that all custom themes and third‑party plugins perform proper HTML sanitization before rendering messages, and upgrade them to secure versions.
  • Consider disabling public messaging or monitoring for suspicious script tags until the vulnerability is patched.
  • Consult Totara support or official advisory channels for additional guidance and patch availability notices.

Generated by OpenCVE AI on April 28, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:00:00 +0000

Type Values Removed Values Added
Title Totara LMS In‑App Messaging HTML Injection Leading to Cross‑Site Scripting

Fri, 24 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title HTML Injection in Totara LMS Permits Cross‑Site Scripting and Session Hijacking

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Title HTML Injection in Totara LMS Permits Cross‑Site Scripting and Session Hijacking
Weaknesses CWE-79

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Totara
Totara lms
Vendors & Products Totara
Totara lms

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.
References

Subscriptions

Totara Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T16:34:23.641Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31281

cve-icon Vulnrichment

Updated: 2026-04-14T15:45:40.861Z

cve-icon NVD

Status : Deferred

Published: 2026-04-13T15:17:32.973

Modified: 2026-04-24T17:16:19.940

Link: CVE-2026-31281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses