Security announcements

Socialwall course format plugin - known vulnerability and call for new maintainer

by Michael Hawkins -

Hi all,

We have been made aware of a serious security vulnerability in the third-party Socialwall course format plugin (format_socialwall). As the plugin is no longer actively maintained, no fix is forthcoming, and we consider it unsafe to use.

If you have the Socialwall plugin installed, we recommend disabling or uninstalling it as soon as possible. We have also removed that plugin from our plugins directory. If you do not have the Socialwall course format plugin installed, no action is required.

We would like to thank gr3mlin for responsibly disclosing this vulnerability to us via our security submission form, after they were unable to reach the plugin maintainer directly (we were able to subsequently reach the maintainer and confirm the plugin is no longer in active development).

Are you interested in taking over maintenance of Socialwall?

If your site is using this plugin and you have the capacity to take on its maintenance (including fixing the vulnerability), we'd love to hear from you - please reply to this thread or contact me directly.

Discuss this topic  (0 replies so far)

MSA-26-0011: CSRF and missing capability check in admin/mnet/peers.php

by Michael Hawkins -

Insufficient CSRF token and capability checks were applied to an MNet admin setting.

Severity/Risk: Minor
Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions
Versions fixed: 5.1.4, 5.0.7 and 4.5.11
Reported by: Vincent Schneider
CVE identifier: CVE-2026-7278
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84495
Tracker issue: MDL-84495 CSRF and missing capability check in admin/mnet/peers.php
Discuss this topic  (0 replies so far)

MSA-26-0010: Upgrade AWS SDK for PHP including security fix (upstream)

by Michael Hawkins -

The upstream AWS SDK for PHP library was upgraded, which included a security fix.

Severity/Risk: Minor
Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions
Versions fixed: 5.1.4, 5.0.7 and 4.5.11
Reported by: Michael Hawkins
CVE identifier: CVE-2025-14761
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87598
Tracker issue: MDL-87598 Upgrade AWS SDK for PHP including security fix (upstream)
Discuss this topic  (0 replies so far)

MSA-26-0009: CSRF risk in reset penalty rules functionality

by Michael Hawkins -

The grade penalty rules reset function did not include the necessary token to prevent a CSRF risk.

Severity/Risk: Minor
Versions affected: 5.1 to 5.1.3 and 5.0 to 5.0.6
Versions fixed: 5.1.4 and 5.0.7
Reported by: Khải nguyễn Đặng
CVE identifier: CVE-2026-7277
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88087
Tracker issue: MDL-88087 CSRF risk in reset penalty rules functionality
Discuss this topic  (0 replies so far)

MSA-26-0008: Upgrade PHPUnit version to avoid a security risk (upstream)

by Michael Hawkins -

The PHPUnit version in Moodle LMS 4.5 required updating to avoid an upstream Poisoned Pipeline Execution (PPE) risk.

Severity/Risk: Minor
Versions affected: 4.5 to 4.5.10
Versions fixed: 4.5.11
Reported by: Huong Nguyen
CVE identifier: CVE-2026-24765
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88381
Tracker issue: MDL-88381 Upgrade PHPUnit version to avoid a security risk (upstream)
Discuss this topic  (0 replies so far)

MSA-26-0007: Message panel breaks with messages from deleted users (messaging DoS risk)

by Michael Hawkins -

A flaw in message handling of conversations with deleted users could result in active users losing access to their private messages.

Severity/Risk: Minor
Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions
Versions fixed: 5.1.4, 5.0.7 and 4.5.11
Reported by: Adam Jenkins
CVE identifier: CVE-2026-7276
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87760
Tracker issue: MDL-87760 Message panel breaks with messages from deleted users (messaging DoS risk)
Discuss this topic  (0 replies so far)

MSA-26-0006: RCE risk via Moodle's Google Drive repository plugin

by Michael Hawkins -

A remote code execution risk was identified in Moodle's Google Drive repository plugin.

Severity/Risk: Serious
Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions
Versions fixed: 5.1.4, 5.0.7 and 4.5.11
Reported by: Ophion Security
Workaround: Disable the Google Drive repository plugin until the patch has been applied.
CVE identifier: CVE-2026-7275
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88423
Tracker issue: MDL-88423 RCE risk via Moodle's Google Drive repository plugin
Discuss this topic  (0 replies so far)

MSA-26-0005: SQL injection risk in external database authentication plugin

by Michael Hawkins -

An SQL injection risk was identified in the "external database" authentication plugin (auth_db). Note: This only affected sites with the auth_db authentication plugin enabled.

Severity/Risk: Serious
Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions
Versions fixed: 5.1.4, 5.0.7 and 4.5.11
Reported by: Melvinsh
CVE identifier: CVE-2026-7274
Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88138
Tracker issue: MDL-88138 SQL injection risk in external database authentication plugin
Discuss this topic  (0 replies so far)

MSA-26-0004: Update Symfony process module version to avoid a security risk (upstream)

by Michael Hawkins -

The upstream Symfony process module version required updating to remove a command injection risk on Windows systems.

Severity/Risk: Serious
Versions affected: 4.5 to 4.5.8
Versions fixed: 4.5.9
Reported by: Dustin Frank
CVE identifier: CVE-2024-51736
Changes (4.5.9): https://github.com/moodle/moodle/commit/3cf9457a36f5c5583ce5fdf6e3836d3d272289a8
Tracker issue: MDL-87594 Update Symfony process module version to avoid a security risk (upstream)
Discuss this topic  (0 replies so far)

MSA-26-0003: Denial of service risk in TeX formula editor

by Michael Hawkins -

Rendering of TeX content with mimetex in the formula editor required execution time limitations to prevent a denial of service risk.

Severity/Risk: Serious
Versions affected: 5.1 to 5.1.1, 5.0 to 5.0.4, 4.5 to 4.5.8 and earlier unsupported versions
Versions fixed: 5.1.2, 5.0.5 and 4.5.9
Reported by: Aleksey Solovev (Positive Technologies)
CVE identifier: CVE-2026-26047
Changes (5.1.2): https://github.com/moodle/moodle/commit/8683b4a04939332e353cad1be51222930dc40b2c
Tracker issue: MDL-86785 Denial of service risk in TeX formula editor
Discuss this topic  (0 replies so far)