The grade penalty rules reset function did not include the necessary token to prevent a CSRF risk.
| Severity/Risk: | Minor |
| Versions affected: | 5.1 to 5.1.3 and 5.0 to 5.0.6 |
| Versions fixed: | 5.1.4 and 5.0.7 |
| Reported by: | Khải nguyễn Đặng |
| CVE identifier: | CVE-2026-7277 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88087 |
| Tracker issue: | MDL-88087 CSRF risk in reset penalty rules functionality |
The PHPUnit version in Moodle LMS 4.5 required updating to avoid an upstream Poisoned Pipeline Execution (PPE) risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.10 |
| Versions fixed: | 4.5.11 |
| Reported by: | Huong Nguyen |
| CVE identifier: | CVE-2026-24765 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88381 |
| Tracker issue: | MDL-88381 Upgrade PHPUnit version to avoid a security risk (upstream) |
A flaw in message handling of conversations with deleted users could result in active users losing access to their private messages.
| Severity/Risk: | Minor |
| Versions affected: | 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions |
| Versions fixed: | 5.1.4, 5.0.7 and 4.5.11 |
| Reported by: | Adam Jenkins |
| CVE identifier: | CVE-2026-7276 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87760 |
| Tracker issue: | MDL-87760 Message panel breaks with messages from deleted users (messaging DoS risk) |
A remote code execution risk was identified in Moodle's Google Drive repository plugin.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions |
| Versions fixed: | 5.1.4, 5.0.7 and 4.5.11 |
| Reported by: | Rojan Rijal |
| Workaround: | Disable the Google Drive repository plugin until the patch has been applied. |
| CVE identifier: | CVE-2026-7275 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88423 |
| Tracker issue: | MDL-88423 RCE risk via Moodle's Google Drive repository plugin |
An SQL injection risk was identified in the "external database" authentication plugin (auth_db).
Note: This only affected sites with the auth_db authentication plugin enabled.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions |
| Versions fixed: | 5.1.4, 5.0.7 and 4.5.11 |
| Reported by: | Melvinsh |
| CVE identifier: | CVE-2026-7274 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88138 |
| Tracker issue: | MDL-88138 SQL injection risk in external database authentication plugin |
The upstream Symfony process module version required updating to remove a command injection risk on Windows systems.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.8 |
| Versions fixed: | 4.5.9 |
| Reported by: | Dustin Frank |
| CVE identifier: | CVE-2024-51736 |
| Changes (4.5.9): | https://github.com/moodle/moodle/commit/3cf9457a36f5c5583ce5fdf6e3836d3d272289a8 |
| Tracker issue: | MDL-87594 Update Symfony process module version to avoid a security risk (upstream) |
Rendering of TeX content with mimetex in the formula editor required execution time limitations to prevent a denial of service risk.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Aleksey Solovev (Positive Technologies) |
| CVE identifier: | CVE-2026-26047 |
| Changes (5.1.2): | https://github.com/moodle/moodle/commit/8683b4a04939332e353cad1be51222930dc40b2c |
| Tracker issue: | MDL-86785 Denial of service risk in TeX formula editor |
Additional sanitizing was required on a TeX filter administration setting to prevent a remote code execution risk.
Note: The affected setting could only be accessed by site administrators, and only affected sites with the TeX notation filter enabled and ImageMagick installed on the server.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Vicevirus |
| CVE identifier: | CVE-2026-26046 |
| Changes (main): |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87843 |
| Tracker issue: | MDL-87843 and MDL-87870 Remote code execution risk in TeX filter admin setting |
A remote code execution risk was identified in the file restore functionality.
| Severity/Risk: | Serious |
| Versions affected: | 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions |
| Versions fixed: | 5.1.2, 5.0.5 and 4.5.9 |
| Reported by: | Dinhnhi from VNPT-VCI |
| CVE identifier: | CVE-2026-26045 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87612 |
| Tracker issue: | MDL-87612 Remote code execution risk via file restore |
When blind marking is enabled for an assignment, user IDs remained visible on the assignment submissions page instead of being masked.
| Severity/Risk: | Minor |
| Versions affected: | 5.1, 5.0 to 5.0.3, 4.5 to 4.5.7, 4.4 to 4.4.11, 4.1 to 4.1.21 and earlier unsupported versions |
| Versions fixed: | 5.1.1, 5.0.4, 4.5.8, 4.4.12 and 4.1.22 |
| Reported by: | Mihail Geshoski |
| CVE identifier: | CVE-2025-67857 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82808 |
| Tracker issue: | MDL-82808 User IDs exposed in URLs when using anonymous submissions in assignment |