Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Canvas Free- -Teacher actively exploited XSS vulnerabilities cross-site scripting flaw

Vulnerability
First reported
Last updated
Happening score
H score 26
1 unique sources, 2 articles

Summary

Hide ▲

Canvas Free-for-Teacher was affected by multiple XSS vulnerabilities that let attackers obtain authenticated admin sessions and carry out privileged actions. The flaws were abused to deface login portals and post an extortion message, turning a web-app weakness into a visible service and trust failure. The issue mattered because the affected environment is used by educators, and the same flaw was reused after the initial breach.

Related Happenings

ShinyHunters school-by-school extortion campaign targeting Canvas institutions

Campaign
First: 11.05.2026 13:05 Last: 11.05.2026 13:05 Sources 1

How related: ShinyHunters used the flaw to add a message to Canvas login portals, warning that the company, as well as schools using its platform, had until May 12 to reach out and negotiate a ransom.

About this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...

Open Happening

Timeline

  1. 11.05.2026 18:26 1 articles · 16d ago

    Instructure discovers Canvas network breach

    Initial Disclosure

    On April 29, Instructure discovered that its network had been breached and immediately revoked the unauthorized party's access, started an investigation, and engaged outside forensic experts.

    Show sources
    Open in new tab
  2. 11.05.2026 18:26 2 articles · 16d ago

    ShinyHunters reuses Canvas XSS flaw for extortion

    Exploitation Observed

    On May 7, ShinyHunters reused the same Canvas vulnerability to inject malicious JavaScript through user-generated content features, obtain authenticated admin sessions, deface Canvas login portals, and post an extortion message warning the company and schools using the platform to negotiate by May 12.

    Show sources
    Open in new tab
  3. 11.05.2026 18:26 1 articles · 16d ago

    Instructure takes Canvas offline and restores service

    Mitigation Patch Update

    By May 9, Instructure had temporarily taken Canvas offline to prevent malicious activity from spreading, determine the cause, and apply additional safeguards, and it shut down Free-for-Teacher accounts until the issues were resolved before restoring Canvas for use.

    Show sources
    Open in new tab
  4. 11.05.2026 18:26 1 articles · 16d ago

    Instructure confirms Free-for-Teacher exposure

    Victim Impact Update

    On May 11, Instructure confirmed that the exploited security issue affected the Free-for-Teacher environment, the free limited version of Canvas LMS for individual educators, while ShinyHunters claimed to have stolen more than 3.6 terabytes of uncompressed data from the earlier breach.

    Show sources
    Open in new tab