Cyber Resilience

CVE-2026-28228

High

Published: 30 March 2026

Published
30 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 33.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28228 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Frentix Openolat. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28228 is a server-side template injection vulnerability in OpenOlat, an open source web-based e-learning platform used for teaching, learning, assessment, and communication. It affects versions prior to 19.1.31, 20.1.18, and 20.2.5, where an authenticated user with the Author role can inject malicious Velocity directives into a reminder email template. These directives are evaluated server-side upon reminder processing, either manually triggered or via the daily cron job, enabling attackers to chain Velocity's #set directive with Java reflection for arbitrary code execution.

An attacker requires low-privileged network access as an authenticated Author role user, with no user interaction needed, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-1336 (Incorrect Normalization of Special Elements). Exploitation allows instantiation of arbitrary Java classes, such as java.lang.ProcessBuilder, resulting in operating system command execution under the privileges of the Tomcat process, which is typically root in containerized deployments.

The issue has been addressed in OpenOlat versions 19.1.31, 20.1.18, and 20.2.5. Additional details are available in the GitHub Security Advisory at https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4.

EU & UK References

Vulnerability details

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder…

more

is processed (either triggered manually or via the daily cron job), the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process (typically root in containerized deployments). This issue has been patched in versions 19.1.31, 20.1.18, and 20.2.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

SSTI in public-facing web app enables remote exploitation (T1190) resulting in OS command execution via ProcessBuilder (T1059.004 Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31946Same product: Frentix Openolat
CVE-2026-42252Shared CWE-1336
CVE-2025-53909Shared CWE-1336
CVE-2026-34587Shared CWE-1336
CVE-2022-23851Shared CWE-1336
CVE-2025-49828Shared CWE-1336
CVE-2026-21448Shared CWE-1336
CVE-2026-9558Shared CWE-1336
CVE-2025-59340Shared CWE-1336
CVE-2025-23211Shared CWE-1336

Affected Assets

frentix
openolat
≤ 19.1.31 · 20.0.0 — 20.1.18 · 20.2.0 — 20.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates user inputs to reminder email templates to prevent injection of malicious Velocity directives leading to server-side template injection.

prevent

Ensures timely identification, testing, and deployment of patches for server-side template injection flaws like CVE-2026-28228.

prevent

Restricts the Velocity template engine to least functionality by disabling dangerous directives or reflection capabilities that enable arbitrary code execution.

References