VYPR
Vendor

Openedx

Products
7
CVEs
18
Across products
20
Status
Private

Products

7

Recent CVEs

18
  • CVE-2025-68270CriDec 16, 2025
    risk 0.64cvss 9.9epss 0.00

    The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and…

  • CVE-2026-42860HigMay 11, 2026
    risk 0.48cvss 8.5epss 0.00

    The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a URL stored in SAMLProviderConfig.metadata_source. An authenticated user with…

  • CVE-2026-42858HigMay 11, 2026
    risk 0.48cvss 8.5epss 0.00

    Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed…

  • CVE-2015-6671MedMar 13, 2017
    risk 0.38cvss 5.9epss 0.01

    Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging access to a database backup.

  • CVE-2026-34736MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens…

  • CVE-2025-47942MedMay 21, 2025
    risk 0.27cvss 5.3epss 0.00

    The Open edX Platform is a learning management platform. Prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, edxapp has no built-in protection against downloading the python_lib.zip asset from courses, which is a concern since it often contains custom grading code or…

  • CVE-2024-41806MedJul 25, 2024
    risk 0.27cvss 5.3epss 0.00

    The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become…

  • CVE-2026-35404MedApr 6, 2026
    risk 0.24cvss 4.7epss 0.00

    Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the…

  • CVE-2026-42857MedMay 11, 2026
    risk 0.23cvss 4.6epss 0.00

    Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove tags from user-generated discussion post content. This content is rendered with…

  • CVE-2025-69784Mar 16, 2026
    risk 0.00cvss epss 0.00

    A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an…

  • CVE-2025-69783Mar 16, 2026
    risk 0.00cvss epss 0.00

    A local attacker can bypass OpenEDR's 2.5.1.0 self-defense mechanism by renaming a malicious executable to match a trusted process name (e.g., csrss.exe, edrsvc.exe, edrcon.exe). This allows unauthorized interaction with the OpenEDR kernel driver, granting access to privileged…

  • CVE-2024-43782Aug 23, 2024
    risk 0.00cvss epss 0.01

    This openedx-translations repository contains translation files from Open edX repositories to be kept in sync with Transifex. Before moving to pulling translations from the openedx-translations repository via openedx-atlas, translations in the edx-platform repository were…

  • CVE-2024-22209Jan 13, 2024
    risk 0.00cvss epss 0.01

    Open edX Platform is a service-oriented platform for authoring and delivering online learning. A user with a JWT and more limited scopes could call endpoints exceeding their access. This vulnerability has been patched in commit 019888f.

  • CVE-2023-23611Jan 25, 2023
    risk 0.00cvss epss 0.00

    LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can…

  • CVE-2022-46147Nov 28, 2022
    risk 0.00cvss epss 0.01

    Drag and Drop XBlock v2 implements a drag-and-drop style problem, where a learner has to drag items to zones on a target image. Versions prior to 3.0.0 are vulnerable to cross-site scripting in multiple XBlock Fields. Any platform that has deployed the XBlock may be impacted.…

  • CVE-2022-32195Jun 9, 2022
    risk 0.00cvss epss 0.02

    Open edX platform before 2022-06-06 allows XSS via the "next" parameter in the logout URL.

  • CVE-2021-39248Aug 17, 2021
    risk 0.00cvss epss 0.01

    Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion.

  • CVE-2019-20513Mar 19, 2020
    risk 0.00cvss epss 0.00

    Open edX Ironwood.1 allows support/certificates?user= reflected XSS.