Description

Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.

INFO

Published Date :

2026-04-13T00:00:00.000Z

Last Modified :

2026-04-24T16:34:23.641Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31281 vulnerability.

Vendors Products
Totara
  • Lms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31281.

URL Resource
https://github.com/saykino/CVE-2026-31281 cve-icon cve-icon
https://www.totara.com/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact