Skip to main content

Sakai CVE-2026-33402

| EUVDEUVD-2026-16256 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 GitHub_M
1.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
25.2,23.5
EUVD ID Assigned
Mar 26, 2026 - 17:15 euvd
EUVD-2026-16256
Analysis Generated
Mar 26, 2026 - 17:15 vuln.today
CVE Published
Mar 26, 2026 - 16:45 nvd
LOW 1.3

DescriptionGitHub Advisory

Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info.

AnalysisAI

Sakai Collaboration and Learning Environment versions 23.0-23.4 and 25.0-25.1 fail to sanitize group titles and descriptions, permitting stored cross-site scripting (XSS) attacks that execute in the browsers of users viewing affected group metadata. Authenticated users with group creation or modification privileges can inject malicious scripts that persist in the SAKAI_SITE_GROUP table and execute when other users access group information, compromising session security and enabling credential theft or unauthorized actions within the Sakai environment. Vendor-released patches are available in versions 23.5 and 25.2; no active exploitation has been reported, but the low CVSS score (1.3) reflects minimal baseline impact rather than true severity, given the requirement for user interaction (UI:P) and limited scope of harm (SC:L, SI:L) as documented in the CVSS:4.0 vector.

Technical ContextAI

Sakai is a Java-based open-source Collaboration and Learning Environment widely deployed in educational and enterprise settings. The vulnerability resides in improper input validation and output encoding of the group title and description fields stored in the SAKAI_SITE_GROUP relational database table (CPE: cpe:2.3:a:sakaiproject:sakai). The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a stored XSS vulnerability where user-supplied input is persisted without sanitization and later rendered in HTML context without encoding. When group data is retrieved and displayed in the Sakai user interface, the unencoded malicious script tags (e.g., <script>, <img onerror>) execute in the victim's browser within the Sakai application domain, allowing access to session cookies, local storage, or execution of actions on behalf of the victim.

RemediationAI

Upgrade Sakai to version 23.5 or 25.2 or later; these patched releases are available from the Sakai project repository and vendor distribution channels (see https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm for release notes). Organizations unable to patch immediately should execute the manual workaround: query the SAKAI_SITE_GROUP table for group titles and descriptions containing HTML/JavaScript patterns (e.g., <script>, onerror=, onclick=) and sanitize or remove offending entries using database administration tools. Additionally, implement Web Application Firewall (WAF) rules to reject or encode angle brackets in group metadata submission endpoints, and enforce Content Security Policy (CSP) headers with script-src restrictions to limit inline script execution as a defense-in-depth measure until patching is completed.

Share

CVE-2026-33402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy