CVE-2026-42857
HTML Sanitizer Flaw in Open edX Emails Allows CSS Injection
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openedx | openedx_platform | to cddc25cd791bb78f76833896e4778f668861df12 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Open edX platform's email notification system for discussion posts. The function clean_thread_html_body() is supposed to sanitize user-generated content before it is included in email notifications. However, it fails to remove <style> tags and their CSS content from discussion posts.
Because the sanitized content is rendered using Django's |safe template filter, the malicious CSS inside the <style> tags can execute in the email client. This allows any enrolled student to inject arbitrary CSS into emails sent to other users.
The injected CSS can be used for email tracking (such as IP address disclosure), content spoofing, and phishing attacks.
How can this vulnerability impact me? :
This vulnerability can impact users by enabling attackers to perform several malicious actions through email notifications.
- Email tracking that can disclose the recipient's IP address and other information.
- Content spoofing, where attackers can hide legitimate content and display fake messages to deceive users.
- Phishing attacks that trick users into visiting malicious links or providing sensitive information.
These impacts can lead to privacy violations, potential credential theft, and reputational damage to the educational institution using the platform.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the presence of <style> tags with arbitrary CSS in user-generated discussion post content that is included in email notifications. Detection would involve inspecting the content of discussion posts and the resulting email notifications for unsanitized <style> tags or suspicious CSS.
Since the vulnerability is related to email notifications sent by the Open edX platform, you can detect it by searching for emails containing <style> tags in the HTML body of discussion notification emails.
Suggested commands to detect this might include:
- Using grep or similar tools to search discussion post content or email logs for <style> tags, e.g., `grep -i '<style' /path/to/email/logs/*`
- Extracting and inspecting the HTML content of discussion posts stored in the database for <style> tags.
- Monitoring outgoing email notifications for presence of <style> tags or suspicious CSS by parsing email content.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to apply the fix that properly sanitizes the discussion post content by removing <style> tags and their CSS content from email notifications.
Specifically, update the Open edX platform to include the patch from commit cddc25cd791bb78f76833896e4778f668861df12, which modifies the clean_thread_html_body() function to fully remove <style> tags using decompose(), preventing arbitrary CSS injection.
Until the patch is applied, consider disabling or restricting discussion email notifications to reduce exposure.
Additionally, educate users about the risk of phishing and suspicious email content, and monitor for unusual email activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability enables email tracking through CSS-based techniques that can disclose users' IP addresses, leading to privacy violations. Such unauthorized disclosure of personal data can impact compliance with privacy regulations like GDPR, which mandates protection of personal information and user privacy.
Additionally, the vulnerability allows content spoofing and phishing attacks, which can lead to credential theft and reputational damage. These risks may affect compliance with security standards that require safeguarding user data and preventing unauthorized access or fraud.
Overall, the vulnerability poses risks to confidentiality and integrity of user data, which are core requirements in regulations such as GDPR and HIPAA, potentially leading to non-compliance if exploited.