Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info.
AnalysisAI
Sakai Collaboration and Learning Environment versions 23.0-23.4 and 25.0-25.1 fail to sanitize group titles and descriptions, permitting stored cross-site scripting (XSS) attacks that execute in the browsers of users viewing affected group metadata. Authenticated users with group creation or modification privileges can inject malicious scripts that persist in the SAKAI_SITE_GROUP table and execute when other users access group information, compromising session security and enabling credential theft or unauthorized actions within the Sakai environment. Vendor-released patches are available in versions 23.5 and 25.2; no active exploitation has been reported, but the low CVSS score (1.3) reflects minimal baseline impact rather than true severity, given the requirement for user interaction (UI:P) and limited scope of harm (SC:L, SI:L) as documented in the CVSS:4.0 vector.
Technical ContextAI
Sakai is a Java-based open-source Collaboration and Learning Environment widely deployed in educational and enterprise settings. The vulnerability resides in improper input validation and output encoding of the group title and description fields stored in the SAKAI_SITE_GROUP relational database table (CPE: cpe:2.3:a:sakaiproject:sakai). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a stored XSS vulnerability where user-supplied input is persisted without sanitization and later rendered in HTML context without encoding. When group data is retrieved and displayed in the Sakai user interface, the unencoded malicious script tags (e.g., <script>, <img onerror>) execute in the victim's browser within the Sakai application domain, allowing access to session cookies, local storage, or execution of actions on behalf of the victim.
RemediationAI
Upgrade Sakai to version 23.5 or 25.2 or later; these patched releases are available from the Sakai project repository and vendor distribution channels (see https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm for release notes). Organizations unable to patch immediately should execute the manual workaround: query the SAKAI_SITE_GROUP table for group titles and descriptions containing HTML/JavaScript patterns (e.g., <script>, onerror=, onclick=) and sanitize or remove offending entries using database administration tools. Additionally, implement Web Application Firewall (WAF) rules to reject or encode angle brackets in group metadata submission endpoints, and enforce Content Security Policy (CSP) headers with script-src restrictions to limit inline script execution as a defense-in-depth measure until patching is completed.
Sakai is a Collaboration and Learning Environment. Rated high severity (CVSS 8.7), this vulnerability is remotely exploi
Sakai through 12.6 allows XSS via a chat user name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exp
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16256