Stored Cross-Site Scripting Flaw in RELATE Courseware by Inducer
CVE-2026-42197

8.7HIGH

Key Information:

Vendor

Inducer

Status
Relate
Vendor
CVE Published:
27 May 2026

What is CVE-2026-42197?

The RELATE web-based courseware package is vulnerable to a stored cross-site scripting attack, which can be exploited by authenticated users to run arbitrary JavaScript in an administrator's browser. This vulnerability is present in versions prior to a specific commit where user-controlled input is rendered into the HTML without adequate sanitization. With modifications made to the ParticipationAdmin class, any enrolled student can manipulate their profile information, leading to potential full admin account takeover when an admin views the participation list in the Django admin panel. A security fix has been implemented in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.

Affected Version(s)

relate < 555f0efb1c5bd7531c07cd73724d7e566a81f620

References

https://github.com/inducer/relate/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/inducer/relate/commit/555f0efb1c5bd753...
x_refsource_MISC
https://github.com/inducer/relate/blob/550b8c54eb4d5f3e5f...
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.