CVE-2026-31281
HTML Injection in Totara LMS β€ v19.1.5 Enables Session Hijacking
Publication date: 2026-04-13
Last updated on: 2026-04-24
Assigner: MITRE
Description
Description
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| totara | totara_lms | 19.1.5 |
| totara | totara_lms | to 19.1.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31281 is a vulnerability in Totara LMS versions up to and including 19.1.5 that allows an attacker to inject malicious HTML code into the messages box component.
When the malicious message is sent, the injected HTML code executes in the browsers of all users who receive the message.
This can lead to session hijacking and the execution of arbitrary commands on the victim's browser.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Totara LMS allows an attacker to inject malicious HTML code that can lead to session hijacking and execution of arbitrary commands on users' browsers. Such security flaws can potentially compromise user data confidentiality and integrity.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access or data manipulation can negatively impact compliance with these regulations, which require protection of personal and sensitive data.
Therefore, if exploited, this vulnerability could lead to violations of data protection requirements under common standards and regulations by exposing user sessions and possibly sensitive information.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to hijack user sessions and execute arbitrary commands on your browser through malicious HTML code injected in messages.
Such attacks can compromise user accounts, steal sensitive information, and potentially allow further exploitation within the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious HTML code injection in the messages box component of Totara LMS v19.1.5 and earlier. Detection would involve inspecting messages sent within the application for suspicious or unexpected HTML content.
Since the vulnerability is related to HTML injection in messages, you can detect it by reviewing message contents for embedded scripts or unusual HTML tags.
There are no specific commands provided in the available resources to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability can be mitigated by implementing proper sanitization of user input and output within the messages box component to prevent malicious HTML code injection.
Additionally, upgrading Totara LMS to a version later than 19.1.5, where this issue has been fixed, is recommended.