CVE-2026-31281
Received Received - Intake
HTML Injection in Totara LMS ≀ v19.1.5 Enables Session Hijacking

Publication date: 2026-04-13

Last updated on: 2026-04-24

Assigner: MITRE

Description
Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-13
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31281
EUVD
EUVD-2026-21928
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
totara totara_lms 19.1.5
totara totara_lms to 19.1.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31281 is a vulnerability in Totara LMS versions up to and including 19.1.5 that allows an attacker to inject malicious HTML code into the messages box component.

When the malicious message is sent, the injected HTML code executes in the browsers of all users who receive the message.

This can lead to session hijacking and the execution of arbitrary commands on the victim's browser.

Compliance Impact

The vulnerability in Totara LMS allows an attacker to inject malicious HTML code that can lead to session hijacking and execution of arbitrary commands on users' browsers. Such security flaws can potentially compromise user data confidentiality and integrity.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that enable unauthorized access or data manipulation can negatively impact compliance with these regulations, which require protection of personal and sensitive data.

Therefore, if exploited, this vulnerability could lead to violations of data protection requirements under common standards and regulations by exposing user sessions and possibly sensitive information.

Impact Analysis

This vulnerability can impact you by allowing attackers to hijack user sessions and execute arbitrary commands on your browser through malicious HTML code injected in messages.

Such attacks can compromise user accounts, steal sensitive information, and potentially allow further exploitation within the application.

Detection Guidance

This vulnerability involves malicious HTML code injection in the messages box component of Totara LMS v19.1.5 and earlier. Detection would involve inspecting messages sent within the application for suspicious or unexpected HTML content.

Since the vulnerability is related to HTML injection in messages, you can detect it by reviewing message contents for embedded scripts or unusual HTML tags.

There are no specific commands provided in the available resources to detect this vulnerability on your network or system.

Mitigation Strategies

The vulnerability can be mitigated by implementing proper sanitization of user input and output within the messages box component to prevent malicious HTML code injection.

Additionally, upgrading Totara LMS to a version later than 19.1.5, where this issue has been fixed, is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart