CVE-2026-31281: n/a
Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.
AI Analysis
Technical Summary
CVE-2026-31281 is an HTML Injection vulnerability affecting Totara LMS v19.1.5 and earlier. The issue exists in the in-app messaging client, where an attacker can inject malicious HTML code into messages sent to users. The vendor notes that the client only allows a limited set of safe HTML tags (e.g., italic, bold, underline) and sanitizes any disallowed tags or attributes (such as <script>, <iframe>, event handlers) using DOMPurify. Despite these protections, the vulnerability is rated with a CVSS score of 8.0, indicating high severity due to potential session hijacking and command execution risks. No patch or official remediation level has been disclosed.
Potential Impact
Successful exploitation could allow an attacker with limited privileges to execute arbitrary HTML code in the context of other users' browsers, potentially leading to session hijacking and execution of commands. This could compromise user sessions and data confidentiality. However, the vendor's use of a strict HTML whitelist and DOMPurify sanitization reduces the attack surface by preventing embedding of dangerous tags and attributes.
Mitigation Recommendations
No official patch or remediation guidance is currently available. The vendor states that the in-app messaging client sanitizes disallowed HTML tags and attributes using DOMPurify and restricts allowed tags to a safe whitelist. Users should monitor vendor advisories for updates or patches. Until a fix is released, consider restricting messaging functionality or applying additional input validation if possible.
CVE-2026-31281: n/a
Description
Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.
CVSS v3.1
Score 8.0high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-31281 is an HTML Injection vulnerability affecting Totara LMS v19.1.5 and earlier. The issue exists in the in-app messaging client, where an attacker can inject malicious HTML code into messages sent to users. The vendor notes that the client only allows a limited set of safe HTML tags (e.g., italic, bold, underline) and sanitizes any disallowed tags or attributes (such as <script>, <iframe>, event handlers) using DOMPurify. Despite these protections, the vulnerability is rated with a CVSS score of 8.0, indicating high severity due to potential session hijacking and command execution risks. No patch or official remediation level has been disclosed.
Potential Impact
Successful exploitation could allow an attacker with limited privileges to execute arbitrary HTML code in the context of other users' browsers, potentially leading to session hijacking and execution of commands. This could compromise user sessions and data confidentiality. However, the vendor's use of a strict HTML whitelist and DOMPurify sanitization reduces the attack surface by preventing embedding of dangerous tags and attributes.
Mitigation Recommendations
No official patch or remediation guidance is currently available. The vendor states that the in-app messaging client sanitizes disallowed HTML tags and attributes using DOMPurify and restricts allowed tags to a safe whitelist. Users should monitor vendor advisories for updates or patches. Until a fix is released, consider restricting messaging functionality or applying additional input validation if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-03-09T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dcfe7a82d89c981ff7d5fc
Added to database: 4/13/2026, 2:32:26 PM
Last enriched: 4/29/2026, 10:57:27 AM
Last updated: 6/13/2026, 12:21:44 AM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.