CVE-2026-42857: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openedx openedx-platform
Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.
AI Analysis
Technical Summary
The Open edX Platform enables online learning at scale and includes a discussion notification feature that sends emails to users. The vulnerability exists because the HTML sanitizer clean_thread_html_body() fails to remove <style> tags from user-generated content in discussion posts. Since this content is rendered with Django's |safe filter in email templates, it allows any enrolled student to inject arbitrary CSS into emails sent to other users. This CSS injection can be exploited for email tracking (disclosing IP addresses), content spoofing, and phishing. The vulnerability affects versions prior to commit cddc25cd791bb78f76833896e4778f668861df12 and is fixed by that commit.
Potential Impact
The vulnerability allows an attacker who is an enrolled student to inject arbitrary CSS into email notifications sent to other users. This can be used to track recipients' IP addresses, spoof email content, and facilitate phishing attacks. The confidentiality and integrity of email communications are impacted, but there is no indication of availability impact. The CVSS score is 4.6 (medium severity), reflecting limited impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
A fix is available and implemented in commit cddc25cd791bb78f76833896e4778f668861df12. Users of the Open edX Platform should update to this commit or a later version that includes this fix to remediate the vulnerability. No additional mitigation steps are indicated by the vendor advisory.
CVE-2026-42857: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in openedx openedx-platform
Description
Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Open edX Platform enables online learning at scale and includes a discussion notification feature that sends emails to users. The vulnerability exists because the HTML sanitizer clean_thread_html_body() fails to remove <style> tags from user-generated content in discussion posts. Since this content is rendered with Django's |safe filter in email templates, it allows any enrolled student to inject arbitrary CSS into emails sent to other users. This CSS injection can be exploited for email tracking (disclosing IP addresses), content spoofing, and phishing. The vulnerability affects versions prior to commit cddc25cd791bb78f76833896e4778f668861df12 and is fixed by that commit.
Potential Impact
The vulnerability allows an attacker who is an enrolled student to inject arbitrary CSS into email notifications sent to other users. This can be used to track recipients' IP addresses, spoof email content, and facilitate phishing attacks. The confidentiality and integrity of email communications are impacted, but there is no indication of availability impact. The CVSS score is 4.6 (medium severity), reflecting limited impact on confidentiality and integrity with no impact on availability.
Mitigation Recommendations
A fix is available and implemented in commit cddc25cd791bb78f76833896e4778f668861df12. Users of the Open edX Platform should update to this commit or a later version that includes this fix to remediate the vulnerability. No additional mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-30T16:44:48.379Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a021aa3cbff5d8610430389
Added to database: 5/11/2026, 6:06:27 PM
Last enriched: 5/11/2026, 6:23:54 PM
Last updated: 5/12/2026, 3:52:46 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.