CVE-2026-31281

Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.
Configurations

No configuration.

History

24 Apr 2026, 17:16

Type Values Removed Values Added
Summary (en) Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. (en) Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.

14 Apr 2026, 17:16

Type Values Removed Values Added
CWE CWE-79
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.0

13 Apr 2026, 15:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-04-13 15:17

Updated : 2026-06-17 10:33


NVD link : CVE-2026-31281

Mitre link : CVE-2026-31281

CVE.ORG link : CVE-2026-31281


JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')