An SQL injection risk was identified in the module list filter within course search.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Lars Bonczek |
| CVE identifier: | CVE-2025-26533 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84271 |
| Tracker issue: | MDL-84271 SQL injection risk in course search module list filter |
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2025-26532 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003 |
| Tracker issue: | MDL-84003 Teachers can evade trusttext config when restoring glossary entries |
Insufficient capability checks made it possible to disable badges a user does not have permission to access.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Paul Holden |
| CVE identifier: | CVE-2025-26531 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239 |
| Tracker issue: | MDL-84239 IDOR in badges allows disabling of arbitrary badges |
The upstream RequireJS library was upgraded, which included a security fix.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Paola Maneggia |
| CVE identifier: | CVE-2024-38999 (upstream) |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84023 |
| Tracker issue: | MDL-84023 Upgrade RequireJS including security fix (upstream) |
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5 and 4.3 to 4.3.9 |
| Versions fixed: | 4.5.2, 4.4.6 and 4.3.10 |
| Reported by: | Hect0r |
| CVE identifier: | CVE-2025-26530 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146 |
| Tracker issue: | MDL-84146 Reflected XSS via question bank filter |
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | nightbloodz |
| CVE identifier: | CVE-2025-26529 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145 |
| Tracker issue: | MDL-84145 Stored XSS risk in admin live log |
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Vincent Schneider (cli-ish) |
| CVE identifier: | CVE-2025-26528 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896 |
| Tracker issue: | MDL-82896 Stored XSS in ddimageortext question type |
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Marina Glancy |
| CVE identifier: | CVE-2025-26527 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941 |
| Tracker issue: | MDL-83941 Non-searchable tags can still be discovered on the tag search page and in the tags block |
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.
| Severity/Risk: | Minor |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | Leon Stringer |
| CVE identifier: | CVE-2025-26526 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 |
| Tracker issue: | MDL-79976 Feedback response viewing and deletions did not respect Separate Groups mode |
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
| Severity/Risk: | Serious |
| Versions affected: | 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15 and earlier unsupported versions |
| Versions fixed: | 4.5.2, 4.4.6, 4.3.10 and 4.1.16 |
| Reported by: | vicevirus |
| CVE identifier: | CVE-2025-26525 |
| Changes (main): | http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 |
| Tracker issue: | MDL-84136 Arbitrary file read risk through pdfTeX |