PatchSiren cyber security CVE debrief

CVE-2026-42197 inducer CVE debrief

A stored cross-site scripting (XSS) vulnerability in RELATE courseware allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The vulnerability exists in the `get_user()` method within `ParticipationAdmin`, which uses `mark_safe` combined with Python's % string formatting to render user-controlled input. This combination bypasses Django's automatic HTML escaping entirely. The affected data originates from the `first_name` and `last_name` fields of the User model, which any authenticated user can modify through the `/profile/` endpoint without sanitization. When an administrator views the Participation list in the Django admin panel, the unsanitized value renders directly into the HTML response, executing the injected script.

Vendor: inducer
Product: relate
CVSS: HIGH 8.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations running RELATE courseware instances with untrusted student users; Django developers using `mark_safe` in admin interfaces; security teams monitoring for stored XSS in educational technology platforms.

Technical summary

The vulnerability stems from improper use of Django's `mark_safe` utility in the `ParticipationAdmin.get_user()` method. The method constructs HTML using Python's `%` string formatting with user-controlled `first_name` and `last_name` values, then marks the result as safe for rendering. This pattern completely disables Django's auto-escaping protections. The attack vector requires only authenticated student access; no admin credentials are needed for exploitation. The attacker modifies their profile name to include JavaScript payload, then waits for an admin to view the Participation list. The CVSS score of 8.7 reflects high impact (confidentiality and integrity) with network attack vector, low attack complexity, low privileges required, and required user interaction (admin viewing the page). Scope is changed due to the admin session compromise.

Defensive priority

HIGH

Recommended defensive actions

Upgrade RELATE to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 or later immediately.
Review Django admin customizations for any use of `mark_safe` with user-controlled input and replace with proper template escaping or `format_html()`.
Audit User model fields that accept user input for HTML sanitization or validation.
Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities.
Review admin access logs for suspicious activity involving Participation list views.

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-37xm-vhx8-g6w3. The fix is available in commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. The vulnerable code path is located in course/admin.py lines 347-368. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. CWE-79 (Improper Neutralization of Input During Web Page Generation) is the primary weakness classification.

Official resources

2026-05-27