CVE-2026-42197: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in inducer relate
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-42197 is a stored cross-site scripting vulnerability in the RELATE courseware system affecting versions before commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. The vulnerability is due to the get_user() method in ParticipationAdmin using Python's % string formatting combined with Django's mark_safe, which bypasses automatic HTML escaping. The get_full_name method returns values directly from the first_name and last_name fields of the User model, which are editable by any authenticated user without sanitization. When an administrator views the Participation list in the Django admin panel, the unsanitized input is rendered directly into the HTML response, enabling stored XSS and potential admin account takeover. The vulnerability has a CVSS 3.1 score of 8.7 (high severity). The issue is resolved by the commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.
Potential Impact
An attacker with authenticated user privileges can inject malicious JavaScript into their user profile fields, which executes in the browser of an administrator viewing the Participation list. This can lead to full administrator account takeover, compromising the integrity and security of the RELATE system. The vulnerability does not affect availability but has high confidentiality and integrity impact.
Mitigation Recommendations
A fix is available in RELATE starting from commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. Users should upgrade to this version or later to remediate the vulnerability. Since this is not a cloud service, patching the affected software instance is required. Patch status is confirmed by the vendor commit reference. No alternative mitigations are provided in the advisory.
CVE-2026-42197: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in inducer relate
Description
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.
CVSS v3.1
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42197 is a stored cross-site scripting vulnerability in the RELATE courseware system affecting versions before commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. The vulnerability is due to the get_user() method in ParticipationAdmin using Python's % string formatting combined with Django's mark_safe, which bypasses automatic HTML escaping. The get_full_name method returns values directly from the first_name and last_name fields of the User model, which are editable by any authenticated user without sanitization. When an administrator views the Participation list in the Django admin panel, the unsanitized input is rendered directly into the HTML response, enabling stored XSS and potential admin account takeover. The vulnerability has a CVSS 3.1 score of 8.7 (high severity). The issue is resolved by the commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.
Potential Impact
An attacker with authenticated user privileges can inject malicious JavaScript into their user profile fields, which executes in the browser of an administrator viewing the Participation list. This can lead to full administrator account takeover, compromising the integrity and security of the RELATE system. The vulnerability does not affect availability but has high confidentiality and integrity impact.
Mitigation Recommendations
A fix is available in RELATE starting from commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. Users should upgrade to this version or later to remediate the vulnerability. Since this is not a cloud service, patching the affected software instance is required. Patch status is confirmed by the vendor commit reference. No alternative mitigations are provided in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:04:37.026Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17476ae29bf47b50e35416
Added to database: 5/27/2026, 7:35:06 PM
Last enriched: 5/27/2026, 7:49:35 PM
Last updated: 5/29/2026, 6:23:25 PM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.