cbcvebase.

Inducer Relate vulnerabilities

8 known vulnerabilities affecting inducer/relate.

Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM1LOW1

Vulnerabilities

Page 1 of 1
CVE-2026-47161P2HIGHCVSS 8.7fixed in d66ba5659b459bf1ba56b7109b5f9ecf197cbefb2026-05-27
CVE-2026-47161 [HIGH] CWE-502 CVE-2026-47161: RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined with missing network isolation in the code execution sand
nvd
CVE-2024-32407P3HIGHCVSS 8.8fixed in 2024.12024-04-22
CVE-2024-32407 [HIGH] CWE-918 CVE-2024-32407: An issue in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a An issue in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Page Sandbox feature.
nvd
CVE-2026-41588P3HIGHCVSS 8.1fixed in 2026-04-17fixed in 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb2026-05-08
CVE-2026-41588 [HIGH] CWE-208 CVE-2026-41588: RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerab RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
nvd
CVE-2026-41505P3HIGHCVSS 8.7fixed in 2f68e16cd3b96d25c188c1aa3f7e13cdb15cdaeb2026-05-07
CVE-2026-41505 [HIGH] CWE-330 CVE-2026-41505: RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictab RELATE is a web-based courseware package. Prior to commit 2f68e16, RELATE is vulnerable to predictable token generation in auth.py's make_sign_in_key() function and exam.py's gen_ticket_code() function. This issue has been patched via commit 2f68e16.
nvd
CVE-2024-32406P3HIGHCVSS 7.5fixed in 2024.12024-04-26
CVE-2024-32406 [HIGH] CWE-1336 CVE-2024-32406: Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remot Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Batch-Issue Exam Tickets function.
nvd
CVE-2026-42197P3HIGHCVSS 8.7fixed in 555f0efb1c5bd7531c07cd73724d7e566a81f6202026-05-27
CVE-2026-42197 [HIGH] CWE-79 CVE-2026-42197: RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566 RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `Participation
nvd
CVE-2024-32404P3MEDIUMCVSS 6.0fixed in 2024.12024-04-26
CVE-2024-32404 [MEDIUM] CWE-94 CVE-2024-32404: Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote Server-Side Template Injection (SSTI) vulnerability in inducer relate before v.2024.1, allows remote attackers to execute arbitrary code via a crafted payload to the Markup Sandbox feature.
nvd
CVE-2024-32405P4LOWCVSS 2.6fixed in 2024.12024-04-22
CVE-2024-32405 [LOW] CWE-79 CVE-2024-32405: Cross Site Scripting vulnerability in inducer relate before v.2024.1 allows a remote attacker to esc Cross Site Scripting vulnerability in inducer relate before v.2024.1 allows a remote attacker to escalate privileges via a crafted payload to the Answer field of InlineMultiQuestion parameter on Exam function.
nvd
Inducer Relate vulnerabilities | cvebase