RELATE web-based courseware package contains a stored cross-site scripting vulnerability in versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620. The vulnerability allows enrolled students to execute arbitrary JavaScript in administrator browser sessions, potentially leading to full admin account takeover. The issue stems from the get_user() method in ParticipationAdmin rendering user-controlled input using mark_safe combined with Python's % string formatting, which bypasses Django's automatic HTML escaping. User first_name and last_name fields are freely editable through the profile page with no sanitization applied. When admins view the Participation list in Django admin panel, unsanitized values are rendered directly into HTML response, executing injected scripts.