CVE-2021-47857
Published: 21 January 2026
Summary
CVE-2021-47857 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2021-47857 is a persistent cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Moodle version 3.10.3. The flaw exists in the calendar event subtitle field, specifically the subtitle track label, which fails to properly sanitize user input. This allows attackers to inject malicious JavaScript scripts into calendar events.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting a calendar event with malicious JavaScript in the subtitle track label, attackers cause the script to execute arbitrary code in the browser of any user who views the event. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), enabling low confidentiality and integrity impacts with a changed scope.
Advisories and resources include the official Moodle site (https://moodle.org/), a proof-of-concept exploit on Exploit-DB (https://www.exploit-db.com/exploits/49714), and a detailed advisory from Vulncheck (https://www.vulncheck.com/advisories/moodle-label-persistent-cross-site-scripting). The CVE was published on 2026-01-21T18:16:16.567, with the Exploit-DB entry indicating public exploit availability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3616
Vulnerability details
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when…
more
users view the event.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables remote injection and browser-based JS execution via a public-facing web app vulnerability (T1190); directly facilitates client-side script execution (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandatory validation and sanitization of all user-supplied calendar subtitle input would block the unsanitized JavaScript that constitutes the persistent XSS payload.
Output filtering or encoding of event subtitle data before rendering would neutralize embedded scripts so they cannot execute in viewers' browsers.
Malicious-code protection mechanisms can inspect or block the injected script content at ingestion or render time, limiting exploit success.