{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33402", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-03-26T16:45:59.734Z", "dateUpdated": "2026-03-26T18:49:31.777Z"}, "containers": {"cna": {"title": "SAK-52311: Sakai site-manage group titles can contain XSS content", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm"}, {"name": "https://sakaiproject.atlassian.net/browse/SAK-52311", "tags": ["x_refsource_MISC"], "url": "https://sakaiproject.atlassian.net/browse/SAK-52311"}], "affected": [{"vendor": "sakaiproject", "product": "sakai", "versions": [{"version": ">= 23.0, < 23.5", "status": "affected"}, {"version": ">= 25.0, < 25.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:45:59.734Z"}, "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}], "source": {"advisory": "GHSA-6g62-3898-hpvm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:49:23.998248Z", "id": "CVE-2026-33402", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:49:31.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:49:23.998248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:49:28.510Z"}}], "cna": {"title": "SAK-52311: Sakai site-manage group titles can contain XSS content", "source": {"advisory": "GHSA-6g62-3898-hpvm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sakaiproject", "product": "sakai", "versions": [{"status": "affected", "version": ">= 23.0, < 23.5"}, {"status": "affected", "version": ">= 25.0, < 25.2"}]}], "references": [{"url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "name": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://sakaiproject.atlassian.net/browse/SAK-52311", "name": "https://sakaiproject.atlassian.net/browse/SAK-52311", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:45:59.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33402", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:49:31.777Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:45:59.734Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sakailms:sakai:*:*:*:*:*:*:*:*", "matchCriteriaId": "D75FAFA7-2928-4FEA-BE03-CC9211C42A2B", "versionEndExcluding": "23.5", "versionStartIncluding": "23.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sakailms:sakai:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB603635-0CE3-4E36-A279-47C8E67C1499", "versionEndExcluding": "25.2", "versionStartIncluding": "25.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}, {"lang": "es", "value": "Sakai es un Entorno de Colaboraci\u00f3n y Aprendizaje (CLE). En las versiones 23.0 a 23.4 y 25.0 a 25.1, los t\u00edtulos y la descripci\u00f3n de los grupos pueden contener scripts de cross-site scripting. El parche est\u00e1 incluido en las versiones 25.2 y 23.5. Como soluci\u00f3n alternativa, se puede verificar la tabla SAKAI_SITE_GROUP en busca de t\u00edtulos y descripciones que contengan esta informaci\u00f3n."}], "id": "CVE-2026-33402", "lastModified": "2026-03-31T13:11:41.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:38.287", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://sakaiproject.atlassian.net/browse/SAK-52311"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[23.0,23.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[25.0,25.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sakai", "source": "cna", "vendor": "sakaiproject"}, "product": "sakai", "vendor": "sakaiproject"}], "analysis": {"en": {"generated_at": "2026-03-31T14:37:16.802473+00:00", "value": {"mitigation_remediation": ["Apply the latest supported Sakai release (23.5 or newer, or 25.2 or newer) to address the XSS issue.", "Search the SAKAI_SITE_GROUP table for titles and descriptions containing scripts and clean them manually."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting that executes scripts in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "The Sakai Collaboration and Learning Environment is affected. Versions between 23.0 and 23.4, and between 25.0 and 25.1, are vulnerable due to improper handling of group metadata.", "description_and_impact": "The vulnerability allows group titles and descriptions to contain arbitrary JavaScript. When displayed in the Sakai web interface, the malicious code runs in the context of the user\u2019s browser, potentially enabling session hijacking, credential theft, or other client\u2011side attacks.", "risk_and_exploitability": "The CVSS base score is 1.3 and the EPSS score is below 1\u202f%. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires creating or editing group titles or descriptions via the web UI, suggesting that privileged or authenticated users with group\u2011management permissions can provide the malicious content. Because the exploit is client\u2011side, the primary risk is to users who view the affected group pages. Overall risk remains low, but the potential impact to end users can be significant if the XSS payload is crafted to steal credentials."}}}}, "created": "2026-03-27T08:33:43.830237+00:00", "updated": "2026-03-31T20:08:45.463223+00:00", "vendors": ["sakaiproject", "sakaiproject$PRODUCT$sakai"]}