CVE-2026-33402
Cross-Site Scripting in Sakai Group Titles and Descriptions
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sakailms | sakai | From 23.0 (inc) to 23.5 (exc) |
| sakailms | sakai | From 25.0 (inc) to 25.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33402 is a low-severity cross-site scripting (XSS) vulnerability in the Sakai Collaboration and Learning Environment. It affects group titles and descriptions in certain versions, allowing these fields to contain malicious scripts. This can lead to script injection attacks when the content is viewed.
The affected versions are 23.0 through 23.4 and 25.0 through 25.1. The vulnerability has been patched in versions 23.5 and 25.2.
As a temporary workaround, administrators can check the SAKAI_SITE_GROUP database table for group titles and descriptions that may contain malicious scripts.
How can this vulnerability impact me? :
This vulnerability can allow attackers to inject malicious scripts into group titles and descriptions within the Sakai environment. When other users view these group titles or descriptions, the malicious scripts could execute in their browsers.
Potential impacts include unauthorized actions performed on behalf of users, theft of session information, or other malicious behaviors enabled by cross-site scripting.
However, the vulnerability is rated as low severity with a CVSS base score of 1.3, indicating limited impact and exploitability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the SAKAI_SITE_GROUP database table for group titles and descriptions that contain suspicious or malicious cross-site scripting (XSS) scripts.
Administrators can query the database to find entries with potential XSS payloads in the title or description fields.
- Example SQL command to detect suspicious scripts: SELECT * FROM SAKAI_SITE_GROUP WHERE title LIKE '%<script>%' OR description LIKE '%<script>%';
- Modify the LIKE pattern to include other common XSS vectors or suspicious HTML tags as needed.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Sakai to a patched version where this vulnerability is fixed, specifically versions 23.5 or 25.2 and later.
As a workaround before upgrading, administrators should inspect and clean the SAKAI_SITE_GROUP table to remove or sanitize any group titles and descriptions containing malicious scripts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this cross-site scripting (XSS) vulnerability in Sakai affects compliance with common standards and regulations such as GDPR or HIPAA.