Multiple vulnerabilities in Moodle
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2025-26533 CVE-2025-26525 CVE-2025-26526 CVE-2025-26527 CVE-2025-26531 CVE-2025-26532 CVE-2025-26528 CVE-2025-26529 CVE-2025-26530 CVE-2024-38999 |
| CWE-ID | CWE-89 CWE-200 CWE-284 CWE-79 CWE-1321 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Moodle Web applications / Other software |
| Vendor | moodle.org |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) SQL injection
EUVDB-ID: #VU104018
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-26533
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the module list filter within course search. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3- cpe:2.3:a:moodle_org:moodle:4.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:moodle_org:moodle:4.5.1:*:*:*:*:*:*:*
https://moodle.org/mod/forum/discuss.php?d=466150
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84271
https://github.com/advisories/GHSA-rg56-94j7-hjx9
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU104030
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26525
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to insufficient sanitizing in the TeX notation filter. A remote attacker can gain unauthorized access to sensitive information on sites where pdfTeX is available.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466141
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136
https://github.com/advisories/GHSA-4hmr-39vp-xfrr
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU104029
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26526
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to feedback response viewing and deletions do not respect Separate Groups mode. A remote attacker can view or delete the responses in Feedback activities.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466142
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976
https://github.com/advisories/GHSA-pxg4-xjp7-w9c5
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU104028
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26527
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to non-searchable tags can still be discovered on the tag search page and in the tags block. A remote user can gain unauthorized access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466143
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941
https://github.com/advisories/GHSA-5r85-6h7f-rg3r
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU104026
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26531
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to the IDOR issue in badges. A remote user can disable badges they do not have permission to access.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466148
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239
https://github.com/advisories/GHSA-g88w-v4cq-qgcp
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper access control
EUVDB-ID: #VU104024
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-26532
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can evade trusttext config when restoring glossary entries.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466149
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003
https://github.com/advisories/GHSA-cw24-f6fq-7j9v
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Stored cross-site scripting
EUVDB-ID: #VU104021
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-26528
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in ddimageortext question type. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466144
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896
https://github.com/advisories/GHSA-h697-w4ph-7pcx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Stored cross-site scripting
EUVDB-ID: #VU104020
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-26529
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in admin live log. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466145
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145
https://github.com/advisories/GHSA-wr88-x8cm-7cgq
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Cross-site scripting
EUVDB-ID: #VU104019
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-26530
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within question bank filter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMoodle: 4.3.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466146
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146
https://github.com/advisories/GHSA-4w32-c9g7-27qx
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Prototype pollution
EUVDB-ID: #VU97244
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-38999
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to prototype pollution via the function s.contexts._.configure. A remote attacker can pass specially crafted input to the application and perform prototype pollution, which can result in information disclosure or data manipulation.
Install update from vendor's website.
Vulnerable software versionsMoodle: 4.1.0 - 4.5.1
CPE2.3https://moodle.org/mod/forum/discuss.php?d=466147
https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84023
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
