CVE-2025-60507 HIGH

CVE-2025-60507

Vendor N/A
Product n/a
Published October 21, 2025
Last update October 21, 2025

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AC:L/AV:N/A:L/C:H/I:H/PR:L/S:C/UI:R

What the vulnerability does

01Description

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

Key dates

02Disclosure timeline

October 21, 2025 CVE published
October 21, 2025 Record updated