cbcvebase.

Openedx Openedx-Platform vulnerabilities

4 known vulnerabilities affecting openedx/openedx-platform.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-42858P2CRITICALCVSS 9.9fixed in 6fda1f120ff5a590d120ae1180185525f399c6d02026-05-11
CVE-2026-42858 [CRITICAL] CWE-918 CVE-2026-42858: Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provi Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply an arbitrary URL via the metadata_url POST parameter. This URL is passed directly to requests.get() in fetch_metadata_xml() without any URL validation
nvd
CVE-2026-34736P4MEDIUMCVSS 5.3v>= maple, < ulmo2026-04-02
CVE-2026-34736 [MEDIUM] CWE-287 CVE-2026-34736: Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple Open edX Platform enables the authoring and delivery of online learning at any scale. From the maple release to before the ulmo release, an unauthenticated attacker can fully bypass the email verification process by combining two issues: the OAuth2 password grant issuing tokens to inactive users (documented behavior) and the activation_key being exp
nvd
CVE-2026-35404P4MEDIUMCVSS 6.1fixed in 76462f1e5fa9b37d2621ad7ad19514b4039089702026-04-06
CVE-2026-35404 [MEDIUM] CWE-601 CVE-2026-35404: Open edX Platform enables the authoring and delivery of online learning at any scale. The view_surve Open edX Platform enables the authoring and delivery of online learning at any scale. The view_survey endpoint accepts a redirect_url GET parameter that is passed directly to HttpResponseRedirect() without any URL validation. When a non-existent survey name is provided, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL.
nvd
CVE-2026-42857P4MEDIUMCVSS 5.4fixed in cddc25cd791bb78f76833896e4778f668861df12v>= sumac, < ulmo2026-05-11
CVE-2026-42857 [MEDIUM] CWE-79 CVE-2026-42857: Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanit Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled
nvd
Openedx Openedx-Platform vulnerabilities | cvebase