Main Vulnerability Database Vulnerabilities #VU128165

Improper Neutralization of Special Elements Used in a Template Engine in OpenOlat - CVE-2026-28228

Published: April 27, 2026

Vulnerability identifier: #VU128165

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-28228

CWE-ID: CWE-1336

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenOlat

Affected software:
OpenOlat

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to server-side template injection in VelocityEngine.evaluate() when processing user-controlled Velocity templates in reminder emails and other templated content. A remote user can inject crafted Velocity directives to execute arbitrary code.

Exploitation requires privileges associated with the Author role, and the injected template is evaluated when the reminder is processed manually or by the daily cron job.

How to mitigate CVE-2026-28228

Install security update from vendor's website.

Sources

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4

Improper Neutralization of Special Elements Used in a Template Engine in OpenOlat - CVE-2026-28228

Detailed vulnerability description

How to mitigate CVE-2026-28228

Sources

Please verify you're human