High severity8.9NVD Advisory· Published Oct 21, 2025· Updated Apr 15, 2026

CVE-2025-60507

Description

Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direct HTML link to the uploaded file without sanitization. When other users (including Students or Administrators) click the link, the payload executes in their browser.

Affected products

Onurcangnc/Moodle Genai Plugin Xssreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

moodle.org/plugins/local_geniainvd
moodle.org/security/nvd
onurcangenc.com.tr/posts/moodle-genia%C4%B1-plugin-vulnerability-stored-reflected-xss-via-pdf-upload-and-chatbot-%C4%B1nput/nvd

News mentions

No linked articles in our index yet.

cvss	0.579
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000