CVE-2026-28228
Published: 30 March 2026
Summary
CVE-2026-28228 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Frentix Openolat. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates user inputs to reminder email templates to prevent injection of malicious Velocity directives leading to server-side template injection.
Ensures timely identification, testing, and deployment of patches for server-side template injection flaws like CVE-2026-28228.
Restricts the Velocity template engine to least functionality by disabling dangerous directives or reflection capabilities that enable arbitrary code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI in public-facing web app enables remote exploitation (T1190) resulting in OS command execution via ProcessBuilder (T1059.004 Unix Shell).
NVD Description
OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder…
more
is processed (either triggered manually or via the daily cron job), the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes such as java.lang.ProcessBuilder and execute operating system commands with the privileges of the Tomcat process (typically root in containerized deployments). This issue has been patched in versions 19.1.31, 20.1.18, and 20.2.5.
Deeper analysisAI
CVE-2026-28228 is a server-side template injection vulnerability in OpenOlat, an open source web-based e-learning platform used for teaching, learning, assessment, and communication. It affects versions prior to 19.1.31, 20.1.18, and 20.2.5, where an authenticated user with the Author role can inject malicious Velocity directives into a reminder email template. These directives are evaluated server-side upon reminder processing, either manually triggered or via the daily cron job, enabling attackers to chain Velocity's #set directive with Java reflection for arbitrary code execution.
An attacker requires low-privileged network access as an authenticated Author role user, with no user interaction needed, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-1336 (Incorrect Normalization of Special Elements). Exploitation allows instantiation of arbitrary Java classes, such as java.lang.ProcessBuilder, resulting in operating system command execution under the privileges of the Tomcat process, which is typically root in containerized deployments.
The issue has been addressed in OpenOlat versions 19.1.31, 20.1.18, and 20.2.5. Additional details are available in the GitHub Security Advisory at https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4.
Details
- CWE(s)