Primary

Context

Moodle Persistent Cross-Site Scripting Vulnerability in Calendar Event Subtitles

Vulnerability

A persistent cross-site scripting vulnerability has been identified in Moodle version 3.10.3. This issue resides in the calendar event subtitle field, where attackers can inject malicious scripts. By crafting a calendar event with harmful JavaScript in the subtitle track label, attackers can execute arbitrary code when users view the event.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed when the event is viewed.

Reproduction

To reproduce this vulnerability, create a calendar event in Moodle 3.10.3. In the event subtitle track label, insert JavaScript code, such as an image tag with an 'onerror' event or a base64-encoded script. After saving the event, the injected script will execute when the event is viewed.

Added: Jan 21, 2026, 6:22 PM

Updated: Jan 21, 2026, 6:22 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

1.7

exploitability

6.3

remediation

0.0

relevance

2.3

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moodle Persistent Cross-Site Scripting Vulnerability in Calendar Event Subtitles

Vulnerability

Impact

Reproduction

Affected Products

Moodle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating