CVE-2026-31281
Published: 13 April 2026
Summary
CVE-2026-31281 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Totara LMS (inferred from references). Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters output in the in-app messaging client to prevent injected malicious HTML from executing in victims' browsers.
Validates and sanitizes HTML inputs to the messaging system to block malicious code injection by low-privilege users.
Restricts message inputs to only the approved list of safe HTML tags and attributes, enhancing sanitization efforts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored HTML injection/XSS in the authenticated in-app messaging feature directly enables arbitrary JavaScript execution in victim browsers (T1059.007) and the explicitly described session hijacking via stolen cookies or hijacked sessions (T1185, T1539).
NVD Description
Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session…
more
hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed <script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>, <svg>, <math>, etc., and any attempt to embed tags or attributes outside of the allowed list (including onerror, onaction, etc.) is sanitized via DOMPurify.
Deeper analysisAI
CVE-2026-31281 is an HTML injection vulnerability (CWE-79) affecting Totara LMS versions 19.1.5 and earlier, specifically in the in-app messaging client of Totara Learning. Published on 2026-04-13, it has a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, low privileges required, and user interaction needed.
An authenticated attacker with low privileges can inject malicious HTML code into a message and send it to all users in the application. When victims view the message, the injected code executes in their browsers, potentially leading to session hijacking and arbitrary command execution on the victim's browser.
The supplier notes that the in-app messaging client only permits a specific allowed list of HTML tags for text enhancement, such as italic, bold, underline, and strong, while sanitizing input via DOMPurify to block dangerous tags like script, style, iframe, object, embed, form, input, button, svg, and math, as well as disallowed attributes including onerror and onaction. References include https://github.com/saykino/CVE-2026-31281 and https://www.totara.com/.
Details
- CWE(s)