CVE-2026-42857 MEDIUM

CVE-2026-42857: Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization

Vendor Openedx
Product openedx-platform
Weakness CWE-79 · XSS
Published May 11, 2026
Last update May 13, 2026
View on NVD All CVEs

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-39926 WordPress Under Construction / Maintenance Mode from Acurax Plugin <= 2.6 is vulnerable to Cross Site Scripting (XSS) CVE-2023-40554 WordPress Blog2Social Plugin <= 7.2.0 is vulnerable to Cross Site Scripting (XSS) CVE-2024-11240 IBPhoenix ibWebAdmin Banco de Dados Tab database.php cross site scripting CVE-2022-2396 SourceCodester Simple e-Learning System claire_blake cross site scripting CVE-2025-23604 WordPress Rezdy Reloaded plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability