A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-02-21
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-02-21
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-02-21
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
CVSS Score
3.1
EPSS Score
0.002
Published
2025-04-25
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
CVSS Score
4.3
EPSS Score
0.003
Published
2024-11-18
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-11-18
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-11-18
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-11-18
Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.
CVSS Score
8.8
EPSS Score
0.004
Published
2024-05-31
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-02-12
Page 1