CVE-2026-42197

EPSS 0.31%
Veröffentlicht 27.05.2026 18:30:27
Zuletzt bearbeitet 01.06.2026 18:26:25
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

RELATE Vulnerable to Stored XSS via Unprivileged User Profile

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name`  and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerinducer

≫

Produkt relate

Version < 555f0efb1c5bd7531c07cd73724d7e566a81f620

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.224

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.7	2.3	5.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/inducer/relate/security/advisories/GHSA-37xm-vhx8-g6w3

https://github.com/inducer/relate/commit/555f0efb1c5bd7531c07cd73724d7e566a81f620

https://github.com/inducer/relate/blob/550b8c54eb4d5f3e5f6698dcba361bf34d715599/course/admin.py#L347-L368

https://nvd.nist.gov/vuln/detail/CVE-2026-42197

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-42197

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-42197

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-42197