CVE-2026-42197
Stored XSS in RELATE Courseware via User Profile
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inducer | relate | to 2024.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42197 is a stored Cross-Site Scripting (XSS) vulnerability in the RELATE web-based courseware system. It occurs because the `get_user()` method in the `ParticipationAdmin` class renders user-controlled input (the user's first and last names) directly into HTML without proper sanitization. These name fields can be freely edited by any authenticated user through their profile page without any input sanitization. When an administrator views the Participation list in the Django admin panel, the malicious script injected into these fields executes in the admin's browser session.
This vulnerability arises from the use of `mark_safe` combined with Python's string formatting, which bypasses Django's automatic HTML escaping. This allows an attacker to inject arbitrary JavaScript code that runs with the privileges of the administrator viewing the page.
The vulnerability can lead to a full administrator account takeover. The issue was fixed in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 by replacing unsafe rendering methods with Django's `format_html`, which properly escapes user input.
How can this vulnerability impact me? :
This vulnerability can have severe impacts if exploited. An attacker who is an enrolled student can inject malicious JavaScript into their profile's first or last name fields. When an administrator views the Participation list, this script executes in the administrator's browser.
The consequences include potential full takeover of the administrator's account, allowing the attacker to perform any administrative actions within the RELATE system. This compromises the confidentiality and integrity of the system's data and administrative controls.
The vulnerability has a high severity CVSS score of 8.7, requires low privileges (only authenticated user access), and user interaction (admin viewing the Participation list).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) in the RELATE courseware system, specifically in the `get_user()` method of the `ParticipationAdmin` class where user-controlled input is rendered unsanitized. Detection involves identifying if malicious JavaScript has been injected into the `first_name` or `last_name` fields of user profiles.
To detect exploitation attempts, you can monitor HTTP requests and responses involving the Django admin Participation list page for suspicious script tags or unusual JavaScript code in the HTML content.
Suggested commands include:
- Use web proxy tools (e.g., Burp Suite, OWASP ZAP) to intercept and inspect admin panel responses for injected scripts.
- Search the database for suspicious script tags in `first_name` and `last_name` fields, for example using SQL queries like: `SELECT id, first_name, last_name FROM auth_user WHERE first_name LIKE '%<script>%' OR last_name LIKE '%<script>%';`
- Check web server logs for unusual requests to `/profile/` endpoints that might indicate attempts to inject scripts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the RELATE courseware package to include the fix introduced in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.
This fix replaces the unsafe use of `mark_safe` and Python string formatting with Django's `format_html` method, which properly escapes user input and prevents XSS attacks.
Until the update can be applied, restrict access to the Django admin Participation list page to trusted administrators only and monitor user profile changes closely.
Additionally, consider sanitizing or validating user input in the `first_name` and `last_name` fields to prevent malicious script injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. This can result in unauthorized access to sensitive administrative functions and data.
Such unauthorized access and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data and secure administrative controls.
However, the provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with these or other common standards and regulations.