CVE-2025-61788: 
Java vulnerability analysis and mitigation

CVE-2025-61788 affects Opencast, a free open-source platform for managing educational audio and video content. The vulnerability was discovered in versions prior to Opencast 17.8 and 18.2, where the Paella player component would render user inputs like metadata (title, description, etc.) without proper filtering or modification. The issue was disclosed on October 8, 2025 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 score is 5.1 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N. The vulnerability stems from the Paella player component's failure to properly sanitize user-provided metadata before rendering it in the web interface (NVD).

When exploited, this vulnerability allows attackers to inject malicious HTML and JavaScript code into the player, which gets executed in the browsers of users watching the prepared media. This can lead to site modification and potential execution of actions under the context of logged-in users (GitHub Advisory).

The vulnerability has been patched in Opencast versions 17.8 and 18.2. Organizations running affected versions should upgrade to these patched versions to mitigate the risk. The fix involves proper filtering and modification of user inputs before rendering them in the player (GitHub Advisory).