CVE-2026-31281HIGH 8.0EPSS p21.6%

CVE-2026-31281CVE-2026-31281

Description

Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.

Scoring

CVSS 3.18.0 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.6% · 2026-06-18T12:00:27Z
Published2026-04-13
Last modified2026-04-24

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/saykino/CVE-2026-31281
  2. https://www.totara.com/

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31282
CVE
CVE-2026-31283
CVE
CVE-2024-11321
CVE
CVE-2026-41293
CVE
CVE-2026-48865
CVE
CVE-2026-11186
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.