CVE-2026-42197
Deferred Deferred - Pending Action
Stored XSS in RELATE Courseware via User Profile

Publication date: 2026-05-27

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-01
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42197
EUVD
EUVD-2026-32627
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inducer relate to 2024.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42197 is a stored Cross-Site Scripting (XSS) vulnerability in the RELATE web-based courseware system. It occurs because the `get_user()` method in the `ParticipationAdmin` class renders user-controlled input (the user's first and last names) directly into HTML without proper sanitization. These name fields can be freely edited by any authenticated user through their profile page without any input sanitization. When an administrator views the Participation list in the Django admin panel, the malicious script injected into these fields executes in the admin's browser session.

This vulnerability arises from the use of `mark_safe` combined with Python's string formatting, which bypasses Django's automatic HTML escaping. This allows an attacker to inject arbitrary JavaScript code that runs with the privileges of the administrator viewing the page.

The vulnerability can lead to a full administrator account takeover. The issue was fixed in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 by replacing unsafe rendering methods with Django's `format_html`, which properly escapes user input.

Impact Analysis

This vulnerability can have severe impacts if exploited. An attacker who is an enrolled student can inject malicious JavaScript into their profile's first or last name fields. When an administrator views the Participation list, this script executes in the administrator's browser.

The consequences include potential full takeover of the administrator's account, allowing the attacker to perform any administrative actions within the RELATE system. This compromises the confidentiality and integrity of the system's data and administrative controls.

The vulnerability has a high severity CVSS score of 8.7, requires low privileges (only authenticated user access), and user interaction (admin viewing the Participation list).

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in the RELATE courseware system, specifically in the `get_user()` method of the `ParticipationAdmin` class where user-controlled input is rendered unsanitized. Detection involves identifying if malicious JavaScript has been injected into the `first_name` or `last_name` fields of user profiles.

To detect exploitation attempts, you can monitor HTTP requests and responses involving the Django admin Participation list page for suspicious script tags or unusual JavaScript code in the HTML content.

Suggested commands include:

  • Use web proxy tools (e.g., Burp Suite, OWASP ZAP) to intercept and inspect admin panel responses for injected scripts.
  • Search the database for suspicious script tags in `first_name` and `last_name` fields, for example using SQL queries like: `SELECT id, first_name, last_name FROM auth_user WHERE first_name LIKE '%<script>%' OR last_name LIKE '%<script>%';`
  • Check web server logs for unusual requests to `/profile/` endpoints that might indicate attempts to inject scripts.
Mitigation Strategies

The immediate mitigation step is to update the RELATE courseware package to include the fix introduced in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.

This fix replaces the unsafe use of `mark_safe` and Python string formatting with Django's `format_html` method, which properly escapes user input and prevents XSS attacks.

Until the update can be applied, restrict access to the Django admin Participation list page to trusted administrators only and monitor user profile changes closely.

Additionally, consider sanitizing or validating user input in the `first_name` and `last_name` fields to prevent malicious script injection.

Compliance Impact

The vulnerability allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. This can result in unauthorized access to sensitive administrative functions and data.

Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure administrative controls.

However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42197. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart