CVE-2026-42857 Overview
CVE-2026-42857 is a CSS injection vulnerability in the Open edX Platform, an open-source system for authoring and delivering online learning at scale. The flaw exists in the clean_thread_html_body() HTML sanitizer used for discussion notification emails. The sanitizer fails to strip <style> tags from user-generated discussion post content. Because Django's |safe template filter renders this content in email notification templates, any enrolled student can inject arbitrary CSS into emails delivered to other users. The vulnerability is classified as Cross-Site Scripting [CWE-79] and was fixed in commit cddc25cd791bb78f76833896e4778f668861df12.
Critical Impact
An authenticated student can inject CSS into discussion email notifications to perform email tracking with IP address disclosure, content spoofing, and phishing attacks against other course participants.
Affected Products
- Open edX Platform (openedx/openedx-platform)
- Versions prior to commit cddc25cd791bb78f76833896e4778f668861df12
- Deployments using the discussion notification email feature
Discovery Timeline
- 2026-05-11 - CVE-2026-42857 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42857
Vulnerability Analysis
The vulnerability resides in lms/djangoapps/discussion/rest_api/discussions_notifications.py, specifically inside the clean_thread_html_body() helper. This function sanitizes HTML from discussion threads before that content is embedded into outbound notification emails. The sanitizer's tag removal list omits the <style> element, allowing attacker-controlled CSS to survive into the rendered email body.
The rendered template applies Django's |safe filter, which disables auto-escaping. Combined with the missing <style> filtering, this allows arbitrary CSS rules to reach recipient mail clients. Attackers exploit this to load remote resources via CSS properties such as background-image: url(), which mail clients fetch when displaying the message. That fetch reveals the recipient's IP address, user agent, and a read receipt to attacker-controlled infrastructure.
CSS injection also enables visual content spoofing. Attackers can hide legitimate text, position malicious overlays, or restyle email elements to impersonate Open edX system messages and drive phishing flows.
Root Cause
The BeautifulSoup-based sanitizer in clean_thread_html_body() enumerated tags to remove but did not call decompose() on <style> elements. CSS declarations therefore passed through to the email template, which trusted the input via the |safe filter.
Attack Vector
An authenticated user with course enrollment posts a discussion thread or reply containing a crafted <style> block. When Open edX dispatches a notification email referencing that post, the injected CSS executes inside each recipient's mail client.
truncated_body = html.unescape(truncated_body)
html_body = BeautifulSoup(truncated_body, 'html.parser')
+ # Remove tags including their content (decompose, not unwrap)
+ tags_to_decompose = [
+ "style", # CSS injection
+ ]
+ for tag in tags_to_decompose:
+ for match in html_body.find_all(tag):
+ match.decompose()
+
tags_to_remove = [
"a", "link", # Link Tags
"img", "picture", "source", # Image Tags
Source: Open edX Platform patch commit cddc25c
Detection Methods for CVE-2026-42857
Indicators of Compromise
- Discussion post records containing <style> tags or CSS declarations such as @import, background-image: url(, or content: url(
- Outbound notification emails referencing external domains in CSS url() properties not associated with the Open edX deployment
- Web server logs on attacker-controlled domains showing image or font requests originating from recipient mail client IP ranges
Detection Strategies
- Query the discussion database for thread and comment bodies matching the regex pattern <style[^>]*> to identify posts that may have triggered the issue
- Inspect rendered MIME content of discussion notification emails for embedded <style> blocks or external resource references in CSS
- Correlate spikes in discussion activity from a single enrolled account with outbound notification volume to flag bulk abuse
Monitoring Recommendations
- Enable logging of full HTML payloads passed to clean_thread_html_body() during the remediation window
- Monitor egress DNS and HTTP requests from mail relays and gateways for resolution of unfamiliar domains referenced in email bodies
- Track user reports of suspicious or visually anomalous Open edX notification emails through the support channel
How to Mitigate CVE-2026-42857
Immediate Actions Required
- Apply the upstream fix by pulling commit cddc25cd791bb78f76833896e4778f668861df12 or upgrading to an Open edX release that includes it
- Audit existing discussion content for embedded <style> tags and remove or neutralize affected posts
- Notify course staff to scrutinize unexpected discussion notification emails and report suspected phishing attempts
Patch Information
The maintainers fixed the issue by adding style to a new tags_to_decompose list inside clean_thread_html_body(). The patch uses BeautifulSoup's decompose() method, which removes the tag and its contents rather than merely unwrapping it. Refer to the GitHub Security Advisory GHSA-4xv3-5j4x-q8g4 and the patch commit for implementation details.
Workarounds
- Temporarily disable discussion notification emails until the patch is deployed
- Add a pre-send filter in the mail pipeline that strips <style> elements from outbound notification HTML
- Configure outbound mail gateways to rewrite or block external resource references in email CSS
# Apply the upstream patch in an Open edX deployment
cd /edx/app/edxapp/edx-platform
git fetch origin
git cherry-pick cddc25cd791bb78f76833896e4778f668861df12
sudo /edx/bin/supervisorctl restart lms cms
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
