A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-02-21
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.
CVSS Score
6.5
EPSS Score
0.001
Published
2026-02-21
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.
CVSS Score
7.2
EPSS Score
0.001
Published
2026-02-21
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.
CVSS Score
8.8
EPSS Score
0.014
Published
2025-04-25
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-04-25
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-04-25
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-04-25
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
CVSS Score
4.3
EPSS Score
0.003
Published
2025-04-25
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
CVSS Score
3.5
EPSS Score
0.001
Published
2025-04-25
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
CVSS Score
4.3
EPSS Score
0.002
Published
2025-04-25
Page 1