How is CVE-2026-42197 exploited?

Network reachability (required): The vulnerable Django admin endpoint is exposed over the network, so the attacker must be able to reach the RELATE web service and the triggering admin must load the Participation list page via a browser over the same network. Authentication (required): The attacker must hold a valid enrolled-student account; any low-privilege authenticated user is sufficient to write the malicious payload via the profile page at /profile/. Victim interaction (required): An administrator must navigate to the Participation list in the Django admin panel after the payload has been stored, providing the social-engineering surface where a student waits for routine admin activity. Attack complexity (info): Attack complexity is low: the exploit is reliable and condition-free once the payload is stored, requiring no race conditions, memory layout knowledge, or special environmental configuration.

What is the impact of CVE-2026-42197?

The attacker's JavaScript executes in the administrator's browser session, reading the admin's session cookies and CSRF tokens directly. With those credentials the attacker can authenticate as the admin, accessing all course data, student records, and system configuration in RELATE. The attacker can modify persisted data in the admin panel, including grades, enrollments, and course content, under the admin's identity. The admin account can be fully taken over by changing credentials or installing further payloads, since the JavaScript runs with the same privileges as any admin-initiated action.

Back to search

HIGHCVE-2026-42197Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-42197: RELATE Vulnerable to Stored XSS via Unprivileged User Profile

RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execute arbitrary JavaScript in an administrator's browser session, potentially leading to full admin account takeover. The `get_user()` method in `ParticipationAdmin` renders user-controlled input using `mark_safe` combined with Python's % string formatting. This bypasses Django\'s automatic HTML escaping entirely. The value returned by `get_full_name` is derived directly from the `first_name` and `last_name` fields of the User model. These fields are freely editable by any authenticated user through the profile page (`/profile/`) with no sanitization applied. When an admin views the Participation list in the Django admin panel, the unsanitized value is rendered directly into the HTML response, causing the injected script to execute in the admin's browser. Commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 fixes the issue.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stored cross-site scripting (XSS) in RELATE, a web-based courseware package, allows any enrolled student to inject arbitrary JavaScript into an administrator's browser session. The vulnerability is reachable over the network and requires only a low-privilege account (any enrolled student); an administrator must subsequently view the affected Participation list page in the Django admin panel for the payload to execute. Successful exploitation gives the attacker full control over the admin's browser session, enabling account takeover with admin-level privileges. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published as a versioned release.

HarborGuard Coverage

Detection

Detection of CVE-2026-42197 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle RELATE.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.7 (HIGH), weighted against each customer org's compliance policy to determine urgency tier and routed to the appropriate team inbox within that organization.

Available

Patch

Because no versioned fix has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release incorporating commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 is tagged. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once that release appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable Django admin endpoint is exposed over the network, so the attacker must be able to reach the RELATE web service and the triggering admin must load the Participation list page via a browser over the same network.
AuthenticationRequired
The attacker must hold a valid enrolled-student account; any low-privilege authenticated user is sufficient to write the malicious payload via the profile page at /profile/.
Victim interactionRequired
An administrator must navigate to the Participation list in the Django admin panel after the payload has been stored, providing the social-engineering surface where a student waits for routine admin activity.
Attack complexityDetail
Attack complexity is low: the exploit is reliable and condition-free once the payload is stored, requiring no race conditions, memory layout knowledge, or special environmental configuration.

Blast Radius

The attacker's JavaScript executes in the administrator's browser session, reading the admin's session cookies and CSRF tokens directly.
With those credentials the attacker can authenticate as the admin, accessing all course data, student records, and system configuration in RELATE.
The attacker can modify persisted data in the admin panel, including grades, enrollments, and course content, under the admin's identity.
The admin account can be fully taken over by changing credentials or installing further payloads, since the JavaScript runs with the same privileges as any admin-initiated action.

How HarborGuard Handles This

Available on HarborGuard: because no versioned upstream release has been published yet for this vulnerability, HarborGuard continuously re-checks the advisory on each ingest cycle and will automatically make a patched-image rebuild available the moment inducer/relate tags a release containing commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. In the meantime, compensating controls are worth considering: network-policy rules that restrict access to the Django admin panel (/admin/) to known internal IP ranges, egress filtering to limit the blast radius of any exfiltrated session material, and feature-flag or middleware-level gating that enforces additional authentication (such as re-prompt or IP allowlist) before rendering the Participation list view. For customers with auto-remediation enabled, the full rebuild, regression run, and PR flow will fire without manual steps as soon as the patched release is available upstream.

See how HarborGuard automates this

CVSS v3.1: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

inducer / relate
< 555f0efb1c5bd7531c07cd73724d7e566a81f620

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

References