CVE-2021-47857

HighPublic PoC

Published: 21 January 2026

Published

21 January 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0004 11.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47857 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

NVD Description

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when…

users view the event.

Deeper analysisAI

CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Moodle version 3.10.3. The flaw exists in the calendar event subtitle field, specifically the subtitle track label, which fails to properly sanitize user input. This allows attackers to inject malicious JavaScript scripts into calendar events.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting a calendar event with malicious JavaScript in the subtitle track label, attackers cause the script to execute arbitrary code in the browser of any user who views the event. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), enabling low confidentiality and integrity impacts with a changed scope.

Advisories and resources include the official Moodle site (https://moodle.org/), a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/49714), and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/moodle-label-persistent-cross-site-scripting). The CVE was published on 2026-01-21T18:16:16.567, with the Exploit-DB entry indicating public exploit availability.

Details

CWE(s): CWE-79

Affected Products

moodle

3.10.3

CVEs Like This One

CVE-2025-26530Same product: Moodle Moodle

CVE-2025-26529Same product: Moodle Moodle

CVE-2025-67850Same product: Moodle Moodle

CVE-2025-67849Same product: Moodle Moodle

CVE-2025-26533Same product: Moodle Moodle

CVE-2025-26525Same product: Moodle Moodle

CVE-2025-67847Same product: Moodle Moodle

CVE-2026-26045Same product: Moodle Moodle

CVE-2026-26046Same product: Moodle Moodle

CVE-2025-67856Same product: Moodle Moodle

References

https://moodle.org/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/49714
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/moodle-label-persistent-cross-site-scripting
Third Party Advisory · disclosure@vulncheck.com