Medium severity4.6NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-42857

Description

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

Affected products

Openedx/Openedx Platformreferences

Patches

cddc25cd791b

fix: remove style tags from discussion email notification HTML

https://github.com/openedx/openedx-platformFeanil PatelApr 17, 2026via nvd-ref

commit

2 files changed · +21 −0

lms/djangoapps/discussion/rest_api/discussions_notifications.py+8 −0 modified

@@ -465,6 +465,14 @@ def clean_thread_html_body(html_body):
     truncated_body = html.unescape(truncated_body)
     html_body = BeautifulSoup(truncated_body, 'html.parser')
 
+    # Remove tags including their content (decompose, not unwrap)
+    tags_to_decompose = [
+        "style",  # CSS injection
+    ]
+    for tag in tags_to_decompose:
+        for match in html_body.find_all(tag):
+            match.decompose()
+
     tags_to_remove = [
         "a", "link",  # Link Tags
         "img", "picture", "source",  # Image Tags

lms/djangoapps/discussion/rest_api/tests/test_discussions_notifications.py+13 −0 modified

@@ -217,3 +217,16 @@ def test_strip_empty_tags(self):
         html_body = '<div><p></p><p>content</p><p></p></div>'
         result = clean_thread_html_body(html_body)
         self.assertEqual(result, '<p style="margin: 0"><p style="margin: 0">content</p></p>')  # noqa: PT009
+
+    def test_style_tag_removed_with_content(self):
+        """
+        Test that style tags and their CSS content are fully removed (CSS injection prevention).
+        """
+        html_body = (
+            '<p>Hello</p>'
+            '<style>body { background-image: url("https://evil.com/track"); }</style>'
+        )
+        result = clean_thread_html_body(html_body)
+        self.assertNotIn('<style>', result)  # noqa: PT009
+        self.assertNotIn('background-image', result)  # noqa: PT009
+        self.assertNotIn('evil.com', result)  # noqa: PT009

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openedx/openedx-platform/commit/cddc25cd791bb78f76833896e4778f668861df12nvdPatch
github.com/openedx/openedx-platform/security/advisories/GHSA-4xv3-5j4x-q8g4nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.299
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000