Security announcements | Moodle.org

Security announcements | Moodle.org
Moodle.org
Blocks
Skip How can I report a security issue?
How can I report a security issue?
Please submit your findings via our
security issue submission form
, providing step by step instructions if possible.
See
Moodle security procedures
for further details.
Security announcements
The upstream Symfony process module version required updating to remove a command injection risk on Windows systems.
Severity/Risk:
Serious
Versions affected:
4.5 to 4.5.8
Versions fixed:
4.5.9
Reported by:
Dustin Frank
CVE identifier:
CVE-2024-51736
Changes (4.5.9):
Tracker issue:
MDL-87594 Update Symfony process module version to avoid a security risk (upstream)
Permalink
Discuss this topic
(0 replies so far)
Rendering of TeX content with mimetex in the formula editor required execution time limitations to prevent a denial of service risk.
Severity/Risk:
Serious
Versions affected:
5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions
Versions fixed:
5.1.2, 5.0.5 and 4.5.9
Reported by:
Aleksey Solovev (Positive Technologies)
CVE identifier:
CVE-2026-26047
Changes (5.1.2):
Tracker issue:
MDL-86785 Denial of service risk in TeX formula editor
Permalink
Discuss this topic
(0 replies so far)
Additional sanitizing was required on a TeX filter administration setting to prevent a remote code execution risk.
Note:
The affected setting could only be accessed by site administrators, and only affected sites with the TeX notation filter enabled and ImageMagick installed on the server.
Severity/Risk:
Serious
Versions affected:
5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions
Versions fixed:
5.1.2, 5.0.5 and 4.5.9
Reported by:
Vicevirus
CVE identifier:
CVE-2026-26046
Changes (main):
Tracker issue:
MDL-87843 and MDL-87870 Remote code execution risk in TeX filter admin setting
Permalink
Discuss this topic
(0 replies so far)
A remote code execution risk was identified in the file restore functionality.
Severity/Risk:
Serious
Versions affected:
5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions
Versions fixed:
5.1.2, 5.0.5 and 4.5.9
Reported by:
Dinhnhi from VNPT-VCI
CVE identifier:
CVE-2026-26045
Changes (main):
Tracker issue:
MDL-87612 Remote code execution risk via file restore
Permalink
Discuss this topic
(0 replies so far)
When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked.
Severity/Risk:
Minor
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Mihail Geshoski
CVE identifier:
CVE-2025-67857
Changes (main):
Tracker issue:
MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment
Permalink
Discuss this topic
(0 replies so far)
Badges being awarded with a role performed the correct capability check, but did not verify the user had the required role to meet the award criterion.
Severity/Risk:
Minor
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Stefan Hanauska
CVE identifier:
CVE-2025-67856
Changes (main):
Tracker issue:
MDL-86507 Badges with a role criterion could be awarded to users who do not hold the role
Permalink
Discuss this topic
(0 replies so far)
The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.
Severity/Risk:
Serious
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Nicecatch2000
CVE identifier:
CVE-2025-67855
Changes (main):
Tracker issue:
MDL-86544 Reflected XSS risk in policy tool
Permalink
Discuss this topic
(0 replies so far)
Forum ratings required additional permission checks to prevent users from being able to view ratings they did not have the capability to access.
Severity/Risk:
Minor
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Stefan Hanauska
CVE identifier:
CVE-2025-67854
Changes (main):
Tracker issue:
MDL-86960 Participants can access forum ratings without permission
Permalink
Discuss this topic
(0 replies so far)
Insufficient checks on a confirmation email web service made it easier to brute force password checks against known usernames.
Severity/Risk:
Minor
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Petr Skoda
CVE identifier:
CVE-2025-67853
Changes (main):
Tracker issue:
MDL-86326 Password brute force risk from confirmation email web service
Permalink
Discuss this topic
(0 replies so far)
An open redirect risk existed in the OAuth login functionality.
Severity/Risk:
Minor
Versions affected:
5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions
Versions fixed:
5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22
Reported by:
Paolo Lazzaroni
CVE identifier:
CVE-2025-67852
Changes (main):
Tracker issue:
MDL-80317 Open redirect in OAuth login
Permalink
Discuss this topic
(0 replies so far)