Cyber Resilience

CVE-2021-47857

MediumPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 16.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47857 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Moodle version 3.10.3. The flaw exists in the calendar event subtitle field, specifically the subtitle track label, which fails to properly sanitize user input. This allows attackers to inject malicious JavaScript scripts into calendar events.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting a calendar event with malicious JavaScript in the subtitle track label, attackers cause the script to execute arbitrary code in the browser of any user who views the event. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), enabling low confidentiality and integrity impacts with a changed scope.

Advisories and resources include the official Moodle site (https://moodle.org/), a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/49714), and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/moodle-label-persistent-cross-site-scripting). The CVE was published on 2026-01-21T18:16:16.567, with the Exploit-DB entry indicating public exploit availability.

EU & UK References

Vulnerability details

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when…

more

users view the event.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS enables remote injection and browser-based JS execution via a public-facing web app vulnerability (T1190); directly facilitates client-side script execution (T1059.007).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67850Same product: Moodle Moodle
CVE-2025-26529Same product: Moodle Moodle
CVE-2025-26530Same product: Moodle Moodle
CVE-2025-67849Same product: Moodle Moodle
CVE-2025-26533Same product: Moodle Moodle
CVE-2025-67853Same product: Moodle Moodle
CVE-2025-26525Same product: Moodle Moodle
CVE-2026-26046Same product: Moodle Moodle
CVE-2026-26045Same product: Moodle Moodle
CVE-2025-67848Same product: Moodle Moodle

Affected Assets

moodle
moodle
3.10.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandatory validation and sanitization of all user-supplied calendar subtitle input would block the unsanitized JavaScript that constitutes the persistent XSS payload.

prevent

Output filtering or encoding of event subtitle data before rendering would neutralize embedded scripts so they cannot execute in viewers' browsers.

preventdetect

Malicious-code protection mechanisms can inspect or block the injected script content at ingestion or render time, limiting exploit success.

References