{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33402", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-19T17:02:34.170Z", "datePublished": "2026-03-26T16:45:59.734Z", "dateUpdated": "2026-03-26T18:49:31.777Z"}, "containers": {"cna": {"title": "SAK-52311: Sakai site-manage group titles can contain XSS content", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 1.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm"}, {"name": "https://sakaiproject.atlassian.net/browse/SAK-52311", "tags": ["x_refsource_MISC"], "url": "https://sakaiproject.atlassian.net/browse/SAK-52311"}], "affected": [{"vendor": "sakaiproject", "product": "sakai", "versions": [{"version": ">= 23.0, < 23.5", "status": "affected"}, {"version": ">= 25.0, < 25.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:45:59.734Z"}, "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}], "source": {"advisory": "GHSA-6g62-3898-hpvm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:49:23.998248Z", "id": "CVE-2026-33402", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:49:31.777Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:49:23.998248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:49:28.510Z"}}], "cna": {"title": "SAK-52311: Sakai site-manage group titles can contain XSS content", "source": {"advisory": "GHSA-6g62-3898-hpvm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "sakaiproject", "product": "sakai", "versions": [{"status": "affected", "version": ">= 23.0, < 23.5"}, {"status": "affected", "version": ">= 25.0, < 25.2"}]}], "references": [{"url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "name": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://sakaiproject.atlassian.net/browse/SAK-52311", "name": "https://sakaiproject.atlassian.net/browse/SAK-52311", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T16:45:59.734Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33402", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:49:31.777Z", "dateReserved": "2026-03-19T17:02:34.170Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-26T16:45:59.734Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Sakai is a Collaboration and Learning Environment (CLE). In versions 23.0 through 23.4 and 25.0 through 25.1, group titles and description can contain cross-site scripting scripts. The patch is included in releases 25.2 and 23.5. As a workaround, one can check the SAKAI_SITE_GROUP table for titles and descriptions that contain this info."}], "id": "CVE-2026-33402", "lastModified": "2026-03-26T17:16:38.287", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T17:16:38.287", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/sakaiproject/sakai/security/advisories/GHSA-6g62-3898-hpvm"}, {"source": "security-advisories@github.com", "url": "https://sakaiproject.atlassian.net/browse/SAK-52311"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[23.0,23.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[25.0,25.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sakai", "source": "cna", "vendor": "sakaiproject"}, "product": "sakai", "vendor": "sakaiproject"}], "analysis": {"en": {"generated_at": "2026-03-26T19:21:02.129126+00:00", "value": {"mitigation_remediation": ["Update Sakai to at least version\u00a023.5 or\u00a025.2, which includes the fix.", "As a temporary measure, review the SAKAI_SITE_GROUP table for titles or descriptions containing script tags or other suspicious content and sanitize or delete them."], "summary": {"action": "Patch", "impact": "Cross\u2011site scripting in group titles and descriptions"}, "threat_synthesis": {"affected_systems": "Sakaiproject's Sakai Community Edition, versions 23.0 through 23.4 and 25.0 through 25.1, have unsanitized input for group titles and descriptions. The issue is fixed in version 23.5 and 25.2. No other products are referenced.", "description_and_impact": "The vulnerability allows an attacker to embed arbitrary script code into group titles or descriptions. When a user opens a group, the injected scripts execute in their browser, potentially stealing session data or performing other malicious actions. The weakness is classified as a classic stored XSS (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 1.3 indicates limited overall severity but the actual risk depends on whether users can enter group data. No EPSS data is available and it is not in the KEV catalog. The attack vector likely involves creating or editing a group via the site\u2011management interface and is only effective for users who view the group. Even so, tampering with session cookies or hijacking could occur if the payload is crafted accordingly."}}}}, "created": "2026-03-27T08:33:43.830237+00:00", "updated": "2026-03-27T09:26:09.507769+00:00", "vendors": ["sakaiproject", "sakaiproject$PRODUCT$sakai"]}