7:["$","div",null,{"className":"pt-16","children":[["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"TechArticle\",\"headline\":\"CVE-2026-31281 — Dependency Blast Radius Analysis\",\"description\":\"Interactive analysis of open-source packages affected by CVE-2026-31281\",\"dateModified\":\"2026-04-24T17:16:19.94Z\",\"publisher\":{\"@type\":\"Organization\",\"name\":\"EchelonGraph\",\"url\":\"https://echelongraph.io\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://echelongraph.io/logo.png\"}},\"mainEntityOfPage\":\"https://echelongraph.io/pulse/CVE-2026-31281/blast-radius\",\"image\":\"https://echelongraph.io/og-image.png\",\"keywords\":\"CVE, blast radius, dependency, vulnerability, open source\"}"}}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"BreadcrumbList\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https://echelongraph.io\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CVE Pulse\",\"item\":\"https://echelongraph.io/pulse\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"CVE-2026-31281\",\"item\":\"https://echelongraph.io/pulse/CVE-2026-31281\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Blast Radius\",\"item\":\"https://echelongraph.io/pulse/CVE-2026-31281/blast-radius\"}]}"}}],["$","section",null,{"className":"max-w-7xl mx-auto px-6 py-20","aria-labelledby":"blast-heading","children":[["$","nav",null,{"className":"flex items-center gap-2 text-xs mb-6","style":{"color":"var(--text-dim)"},"children":[["$","$Le",null,{"href":"/","className":"hover:underline","style":{"color":"var(--text-muted)"},"children":"Home"}],["$","span",null,{"children":"›"}],["$","$Le",null,{"href":"/pulse","className":"hover:underline","style":{"color":"var(--text-muted)"},"children":"CVE Pulse"}],["$","span",null,{"children":"›"}],["$","$Le",null,{"href":"/pulse/CVE-2026-31281","className":"hover:underline","style":{"color":"var(--text-muted)"},"children":"CVE-2026-31281"}],["$","span",null,{"children":"›"}],["$","span",null,{"style":{"color":"var(--text-secondary)"},"children":"Blast Radius"}]]}],false,["$","div",null,{"className":"mb-8","children":[["$","h1",null,{"id":"blast-heading","className":"text-3xl md:text-4xl font-black mb-2","style":{"color":"var(--text-primary)","textDecoration":"$undefined","textDecorationColor":"$undefined","opacity":1},"children":["CVE-2026-31281"," ",["$","span",null,{"className":"gradient-text","children":"Blast Radius"}]]}],["$","p",null,{"className":"text-sm","style":{"color":"var(--text-muted)"},"children":[["$","span",null,{"className":"inline-flex items-center px-2 py-0.5 rounded-full text-[10px] font-bold mr-2 border","style":{"background":"rgba(249,115,22,0.15)","color":"#f97316","borderColor":"rgba(249,115,22,0.3)"},"children":"HIGH • CVSS 8"}],"Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in","…"]}]]}],["$","$L15",null,{"cveId":"CVE-2026-31281","description":"Totara LMS v19.1.5 and before is vulnerable to HTML Injection. An attacker can inject malicious HTML code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser. NOTE: The supplier states that the product name is Totara Learning and that the functionality referenced is the in app messaging client. They note that the in app messaging client only has the ability to embed a specific allowed list of HTML tags commonly used for text enhancement, which includes italic, bold, underline, strong, etc. Last, they state that the in app messaging client cannot embed

CVE-2026-31281 Blast Radius

Is Your Infrastructure Using These Packages?