Description
Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info.
Published: 2026-03-26
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that executes scripts in users’ browsers
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows group titles and descriptions to contain arbitrary JavaScript. When displayed in the Sakai web interface, the malicious code runs in the context of the user’s browser, potentially enabling session hijacking, credential theft, or other client‑side attacks.

Affected Systems

The Sakai Collaboration and Learning Environment is affected. Versions between 23.0 and 23.4, and between 25.0 and 25.1, are vulnerable due to improper handling of group metadata.

Risk and Exploitability

The CVSS base score is 1.3 and the EPSS score is below 1 %. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires creating or editing group titles or descriptions via the web UI, suggesting that privileged or authenticated users with group‑management permissions can provide the malicious content. Because the exploit is client‑side, the primary risk is to users who view the affected group pages. Overall risk remains low, but the potential impact to end users can be significant if the XSS payload is crafted to steal credentials.

Generated by OpenCVE AI on March 31, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest supported Sakai release (23.5 or newer, or 25.2 or newer) to address the XSS issue.
  • Search the SAKAI_SITE_GROUP table for titles and descriptions containing scripts and clean them manually.

Generated by OpenCVE AI on March 31, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Sakailms
Sakailms sakai
CPEs cpe:2.3:a:sakailms:sakai:*:*:*:*:*:*:*:*
Vendors & Products Sakailms
Sakailms sakai
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Sakaiproject
Sakaiproject sakai
Vendors & Products Sakaiproject
Sakaiproject sakai

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info.
Title SAK-52311: Sakai site-manage group titles can contain XSS content
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Sakailms Sakai
Sakaiproject Sakai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:49:31.777Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33402

cve-icon Vulnrichment

Updated: 2026-03-26T18:49:28.510Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T17:16:38.287

Modified: 2026-03-31T13:11:41.240

Link: CVE-2026-33402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:08:45Z

Weaknesses