The upstream Symfony process module version required updating to remove a command injection risk on Windows systems.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.8 |
| Versions fixed: | 4.5.9 |
| Reported by: | Dustin Frank |
| CVE identifier: | CVE-2024-51736 |
| Changes (4.5.9): | https://github.com/moodle/moodle/commit/3cf9457a36f5c5583ce5fdf6e3836d3d272289a8 |
| Tracker issue: | MDL-87594 Update Symfony process module version to avoid a security risk (upstream) |
Rendering of TeX content with mimetex in the formula editor required execution time limitations to prevent a denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Aleksey Solovev (Positive Technologies) |
| CVE identifier: | CVE-2026-26047 |
| Changes (5.1.2): | https://github.com/moodle/moodle/commit/8683b4a04939332e353cad1be51222930dc40b2c |
| Tracker issue: | MDL-86785 Denial of service risk in TeX formula editor |
Additional sanitizing was required on a TeX filter administration setting to prevent a remote code execution risk.
Note: The affected setting could only be accessed by site administrators, and only affected sites with the TeX notation filter enabled and ImageMagick installed on the server.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Vicevirus |
| CVE identifier: | CVE-2026-26046 |
| Changes (main): |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87843 |
| Tracker issue: | MDL-87843 and MDL-87870 Remote code execution risk in TeX filter admin setting |
A remote code execution risk was identified in the file restore functionality.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Dinhnhi from VNPT-VCI |
| CVE identifier: | CVE-2026-26045 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87612 |
| Tracker issue: | MDL-87612 Remote code execution risk via file restore |
When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Mihail Geshoski |
| CVE identifier: | CVE-2025-67857 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82808 |
| Tracker issue: | MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment |
Badges being awarded with a role performed the correct capability check, but did not verify the user had the required role to meet the award criterion.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Stefan Hanauska |
| CVE identifier: | CVE-2025-67856 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86507 |
| Tracker issue: | MDL-86507 Badges with a role criterion could be awarded to users who do not hold the role |
The return URL in the policy tool required extra sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Nicecatch2000 |
| CVE identifier: | CVE-2025-67855 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86544 |
| Tracker issue: | MDL-86544 Reflected XSS risk in policy tool |
Forum ratings required additional permission checks to prevent users from being able to view ratings they did not have the capability to access.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Stefan Hanauska |
| CVE identifier: | CVE-2025-67854 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86960 |
| Tracker issue: | MDL-86960 Participants can access forum ratings without permission |
Insufficient checks on a confirmation email web service made it easier to brute force password checks against known usernames.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Petr Skoda |
| CVE identifier: | CVE-2025-67853 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-86326 |
| Tracker issue: | MDL-86326 Password brute force risk from confirmation email web service |
An open redirect risk existed in the OAuth login functionality.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Paolo Lazzaroni |
| CVE identifier: | CVE-2025-67852 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-80317 |
| Tracker issue: | MDL-80317 Open redirect in OAuth login |