CVE-2026-42857 - Vulnerability Details

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

Published: 2026-05-11

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Open edX Platform’s HTML sanitizer fails to strip <style> tags from user‑generated discussion posts. Those posts are rendered with Django’s |safe template filter inside email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. The injected CSS can be used for email tracking, including revealing the recipient’s IP address, and can also modify the appearance of legitimate content to facilitate phishing and content spoofing attacks.

Affected Systems

The affected vendor is openedx and the product is the Open edX Platform. No specific product versions are listed in the advisory; however, any installation that has not applied the fix implemented by commit cddc25cd791bb78f76833896e4778f668861df12 is vulnerable.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate overall severity. The EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. Based on the description, the likely attack vector is internal: any enrolled student can author a discussion post containing malicious CSS, and that CSS will be sent to other users through email notifications. The exploitation requires no special privileges beyond normal platform participation, making the vulnerability relatively approachable for an attacker with access to the learning platform.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openedx

openedx-platform

affected

Version	Status	Constraints
`< cddc25cd791bb78f76833896e4778f668861df12`	affected	—
`>= sumac, < ulmo`	affected	—

No data.

Vendor Product Confidence Versions

Openedx

Openedx-platform

100%

Version	Status	Scheme	Platform
`[0,cddc25cd791bb78f76833896e4778f668861df12)`	affected	generic	—
`[sumac,ulmo)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the fixed commit cddc25cd791bb78f76833896e4778f668861df12 or upgrade to a patched release of Open edX Platform.
Verify that email notification templates no longer render untrusted content with the |safe filter and ensure that any <style> tags are removed or stripped by the sanitizer.
Monitor outbound email notifications for anomalous CSS or spoofed content to detect potential exploitation attempts.

Generated by OpenCVE AI on May 11, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12
https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4

History

Mon, 11 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openedx Openedx openedx-platform
Vendors & Products		Openedx Openedx openedx-platform

Mon, 11 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's \|safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.
Title		Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization
Weaknesses		CWE-79
References		https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12 https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4
Metrics		cvssV3_1 `{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}`

Subscriptions

Openedx Openedx-platform

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-11T17:32:40.940Z

Updated: 2026-05-11T17:32:40.940Z

Reserved: 2026-04-30T16:44:48.379Z

Link: CVE-2026-42857

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:36.130

Modified: 2026-05-12T16:50:08.553

Link: CVE-2026-42857

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-11T19:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object