CVE-2026-47161 documents a HIGH-severity vulnerability in RELATE, a web-based courseware package. The issue stems from Celery workers configured to accept and deserialize untrusted pickle data, enabling arbitrary command execution by any attacker with access to the message broker. When combined with missing network isolation in the code execution sandbox, an authenticated student can achieve full Remote C [truncated]
A stored cross-site scripting (XSS) vulnerability in RELATE courseware allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The vulnerability exists in the `get_user()` method within `ParticipationAdmin`, which uses `mark_safe` combined with Python's % string formatting to render user-controlled input. This c [truncated]
