CVE-2025-61788: Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting

October 8, 2025 (updated October 13, 2025)

Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified.

References

github.com/advisories/GHSA-m2vg-rmq6-p62r
github.com/opencast/opencast
github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9
github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r
nvd.nist.gov/vuln/detail/CVE-2025-61788

Code Behaviors & Features

Detect and mitigate CVE-2025-61788 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →