CVE-2026-33402
Received Received - Intake
Cross-Site Scripting in Sakai Group Titles and Descriptions

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33402
EUVD
EUVD-2026-16256
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sakailms sakai From 23.0 (inc) to 23.5 (exc)
sakailms sakai From 25.0 (inc) to 25.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33402 is a low-severity cross-site scripting (XSS) vulnerability in the Sakai Collaboration and Learning Environment. It affects group titles and descriptions in certain versions, allowing these fields to contain malicious scripts. This can lead to script injection attacks when the content is viewed.

The affected versions are 23.0 through 23.4 and 25.0 through 25.1. The vulnerability has been patched in versions 23.5 and 25.2.

As a temporary workaround, administrators can check the SAKAI_SITE_GROUP database table for group titles and descriptions that may contain malicious scripts.

Impact Analysis

This vulnerability can allow attackers to inject malicious scripts into group titles and descriptions within the Sakai environment. When other users view these group titles or descriptions, the malicious scripts could execute in their browsers.

Potential impacts include unauthorized actions performed on behalf of users, theft of session information, or other malicious behaviors enabled by cross-site scripting.

However, the vulnerability is rated as low severity with a CVSS base score of 1.3, indicating limited impact and exploitability.

Compliance Impact

The provided information does not specify how this cross-site scripting (XSS) vulnerability in Sakai affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by inspecting the SAKAI_SITE_GROUP database table for group titles and descriptions that contain suspicious or malicious cross-site scripting (XSS) scripts.

Administrators can query the database to find entries with potential XSS payloads in the title or description fields.

  • Example SQL command to detect suspicious scripts: SELECT * FROM SAKAI_SITE_GROUP WHERE title LIKE '%<script>%' OR description LIKE '%<script>%';
  • Modify the LIKE pattern to include other common XSS vectors or suspicious HTML tags as needed.
Mitigation Strategies

The immediate mitigation step is to upgrade Sakai to a patched version where this vulnerability is fixed, specifically versions 23.5 or 25.2 and later.

As a workaround before upgrading, administrators should inspect and clean the SAKAI_SITE_GROUP table to remove or sanitize any group titles and descriptions containing malicious scripts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33402. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart