Primary

Context

Totara LMS HTLM Injection Vulnerability Allowing Session Hijacking

Vulnerability

A HTLM injection vulnerability has been identified in Totara LMS versions through 19.1.5. This vulnerability allows an attacker to inject malicious HTLM code into a message, which can then be sent to all users within the application. The injected code could be executed in the context of the user's session, potentially leading to session hijacking and unauthorized command execution on the victim's browser.

Impact

Exploitation of this vulnerability could result in HTLM injection, allowing for the execution of malicious HTLM code in the context of the user's session. This could lead to session hijacking and unauthorized command execution on the victim's browser.

Remediation

Users are advised to update to Totara LMS versions after 19.1.5. Additionally, implementing input/output sanitization in the messages component can help mitigate this vulnerability.

Added: Apr 13, 2026, 3:55 PM

Updated: Apr 13, 2026, 3:55 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

5.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.7

exploitability

5.0

remediation

0.0

relevance

5.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Totara LMS HTLM Injection Vulnerability Allowing Session Hijacking

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating