CVE-2026-42857 — MEDIUM (4.6)

Vulnerability Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

CVSS Score

4.6

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Openedx	Openedx	< 2026-04-24

Related Weaknesses (CWE)

CWE-79

References

https://github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778Patch
https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-qExploitVendor Advisory
https://github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-qExploitVendor Advisory

FAQ

What is CVE-2026-42857?

CVE-2026-42857 is a vulnerability with a CVSS score of 4.6 (MEDIUM). Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags f...

How severe is CVE-2026-42857?

CVE-2026-42857 has been rated MEDIUM with a CVSS base score of 4.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-42857?

Check the references section above for vendor advisories and patch information. Affected products include: Openedx Openedx.