CVE-2026-33402 is a cross-site scripting (XSS) vulnerability classified under CWE-79 found in the Sakai Collaboration and Learning Environment (CLE), specifically in versions 23.0 through 23.4 and 25.0 through 25.1. The vulnerability stems from improper neutralization of input during web page generation, where group titles and descriptions are not adequately sanitized before being rendered in the web interface. This allows an attacker to inject malicious JavaScript code into these fields. When a legitimate user views a group page containing such crafted content, the malicious script executes in their browser context. The vulnerability does not require authentication to exploit but does require user interaction, such as visiting a maliciously crafted group page. The CVSS 4.0 base score is 1.3, reflecting low severity due to limited impact on confidentiality, integrity, and availability, and the need for user interaction. The scope is limited to the client side, with no privilege escalation or server compromise indicated. The vulnerability was publicly disclosed on March 26, 2026, with patches included in Sakai versions 23.5 and 25.2. As an interim mitigation, administrators can query the SAKAI_SITE_GROUP database table to identify and remove malicious scripts embedded in group titles and descriptions. No known exploits have been reported in the wild, but the vulnerability poses a risk of client-side attacks such as session hijacking or phishing if exploited.

The primary impact of CVE-2026-33402 is on the confidentiality and integrity of end-user sessions within the Sakai CLE environment. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of a victim’s browser, potentially leading to session hijacking, theft of sensitive information, or redirection to malicious sites. However, the vulnerability does not affect server-side components or system availability. Because exploitation requires user interaction and the attacker must inject malicious scripts into group titles or descriptions, the attack surface is somewhat limited. Organizations relying on Sakai for collaboration and learning risk exposure of user credentials or sensitive data if the vulnerability is exploited, especially in environments with high user trust and frequent group interactions. The low CVSS score reflects the limited scope and impact, but the risk remains relevant for educational institutions and organizations using affected Sakai versions, particularly if they have not applied the patches or implemented mitigations.

1. Apply official patches by upgrading Sakai to versions 23.5 or 25.2 or later, which include fixes for this XSS vulnerability. 2. As an immediate workaround, audit the SAKAI_SITE_GROUP database table for group titles and descriptions containing suspicious or script-like content, and sanitize or remove such entries. 3. Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of potential XSS attacks. 4. Educate users to be cautious when interacting with group pages and to report suspicious behavior. 5. Regularly monitor web application logs and user reports for signs of attempted exploitation or unusual activity. 6. Consider deploying web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting Sakai. 7. Review and harden input validation and output encoding practices in custom Sakai deployments or integrations to prevent similar vulnerabilities.