Description
Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.
Published: 2026-04-24
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Upgrade
AI Analysis

Impact

Mahara allows a reflected cross‑site scripting attack when users submit a malicious query through its ‘search site’ feature. The Elasticsearch7 plugin used by the platform fails to sanitize the search string, causing user‑controlled input to be rendered in the search results. This flaw can be exploited to run arbitrary JavaScript in the context of a victim’s browser.

Affected Systems

The issue is present in Mahara releases before 25.04.2 and before 24.04.11 when the Elasticsearch7 search plugin is enabled. Any system running these versions and exposing the search feature to external users is vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV inventory. Attackers can trigger the flaw remotely by sending a crafted search query from an external source, and the impact depends on the user's session privileges and the web console’s execution context.

Generated by OpenCVE AI on April 28, 2026 at 07:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mahara to 25.04.2 or later, and to 24.04.11 or later, to eliminate the flaw.
  • Disable the Elasticsearch7 search plugin if it cannot be upgraded, or limit its use to trusted users.
  • Implement server‑side input validation that sanitizes query parameters to prevent reflected XSS.

Generated by OpenCVE AI on April 28, 2026 at 07:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Mahara XSS Vulnerability via Malicious Search Query in Elasticsearch7 Plugin

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Mahara
Mahara mahara
Vendors & Products Mahara
Mahara mahara

Fri, 24 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Mahara before 25.04.2 and 24.04.11 are vulnerable to displaying results that can trigger XSS via a malicious search query string. This occurs in the 'search site' feature when using the Elasticsearch7 search plugin. The Elasticsearch function does not properly sanitize input in the query parameter.
References

Subscriptions

Mahara Mahara
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-24T15:03:27.399Z

Reserved: 2025-10-03T00:00:00.000Z

Link: CVE-2025-61872

cve-icon Vulnrichment

Updated: 2026-04-24T15:02:03.716Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T15:16:25.320

Modified: 2026-04-24T17:54:36.243

Link: CVE-2025-61872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:15:19Z

Weaknesses