moodle/moodle Security Advisories for v4.3.7 (33)
-
[HIGH] Moodle has a Remote Code Execution risk via file restore
PKSA-fh6z-73jv-qwnd CVE-2026-26045 GHSA-ggxq-2mg9-8966
Affected version: <4.5.9|>=5.0.0-beta,<5.0.5|>=5.1.0-beta,<5.1.2
Reported by:
GitHub -
[MEDIUM] Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits
PKSA-d5fc-2jw8-sm45 CVE-2026-26047 GHSA-cg8j-5cr2-568q
Affected version: <4.5.9|>=5.0.0-beta,<5.0.5|>=5.1.0-beta,<5.1.2
Reported by:
GitHub -
[HIGH] Moodle affected by a code injection vulnerability
PKSA-41tm-5zq3-pfdc CVE-2025-67847 GHSA-xvmh-25jw-gmmm
Affected version: <4.1.22|>=4.2.0-beta,<4.4.12|>=4.5.0-beta,<4.5.8|>=5.0.0-beta,<5.0.4|>=5.1.0-beta,<5.1.1
Reported by:
GitHub -
[HIGH] Moodle vulnerable to brute-force password guesses
PKSA-c2fh-btt6-h7g6 CVE-2025-62399 GHSA-m58f-9pvv-8mp2
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle exposed the names of hidden groups to users
PKSA-7bbm-2bcq-7hnc CVE-2025-62400 GHSA-422v-w6c5-vq42
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle has a time restriction bypass
PKSA-2154-mt94-234t CVE-2025-62401 GHSA-w29j-8phw-ffjf
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle allows IDOR when accessing the cohorts report
PKSA-bctf-nmjy-ynnz CVE-2025-3647 GHSA-34g7-pg9j-pxgp
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle has a CSRF risk in user tours manager that allows tour duplication
PKSA-jwzm-wkm8-x9qp CVE-2025-3635 GHSA-88xj-97gf-7wpq
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle allows IDOR in RSS block, which allows access to additional RSS feeds
PKSA-848d-b4jc-r4z3 CVE-2025-3636 GHSA-chmf-m33p-ph8m
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
PKSA-fvfh-pt1s-3tmx CVE-2025-3637 GHSA-9vc3-vm42-fjhm
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle has a CSRF risk in Brickfield tool's analysis request action
PKSA-ysbw-mxpt-3wtx CVE-2025-3638 GHSA-m8qh-hx4c-h9hr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users
PKSA-mj2r-6dr9-xghp CVE-2025-3640 GHSA-6g5x-h5x7-q4mq
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[HIGH] Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository
PKSA-9jfc-tg5h-yj5b CVE-2025-3641 GHSA-c8v6-vxhf-wcrr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[HIGH] Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository
PKSA-8gd9-7npk-ym55 CVE-2025-3642 GHSA-m367-445c-2xqr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has reflected Cross-site Scripting risk in policy tool
PKSA-8sfx-6cpy-w558 CVE-2025-3643 GHSA-hxgg-4qww-85ph
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle's AJAX section delete does not respect course_can_delete_section()
PKSA-g3j3-qxjm-3zq6 CVE-2025-3644 GHSA-cpm7-mv33-jwf8
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has an IDOR in messaging web service which allows access to some user details
PKSA-pr46-vm59-kn4p CVE-2025-3645 GHSA-pj96-xh2w-fgqx
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle shows hidden grades to users without permission on some grade reports
PKSA-d7vn-pt6b-zj2h CVE-2025-32045 GHSA-8m7c-hm88-2p97
Affected version: >=4.5.0-beta,<4.5.3|>=4.4.0-beta,<4.4.7|>=4.3.0-beta,<4.3.11|<4.1.17
Reported by:
GitHub -
[MEDIUM] Moodle makes some user data available before completing second factor with MFA enabled
PKSA-t8h6-8c8g-v64h CVE-2025-3627 GHSA-x45j-jq9q-gf3q
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12
Reported by:
GitHub -
[MEDIUM] Moodle self enrollment available before completing second factor with MFA enabled
PKSA-wkvg-pjc4-695g CVE-2025-3634 GHSA-qhc7-xhc2-7p7w
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12
Reported by:
GitHub -
[HIGH] Moodle has an arbitrary file read risk through pdfTeX
PKSA-tbqf-gy2t-9549 CVE-2025-26525 GHSA-4hmr-39vp-xfrr
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[MEDIUM] Moodle's feedback response viewing and deletions did not respect Separate Groups mode
PKSA-1xfj-78ck-68m3 CVE-2025-26526 GHSA-pxg4-xjp7-w9c5
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[MEDIUM] Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block
PKSA-zx9m-rnqj-bycy CVE-2025-26527 GHSA-5r85-6h7f-rg3r
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle has a stored XSS in ddimageortext question type
PKSA-19h3-t8f4-j9qr CVE-2025-26528 GHSA-h697-w4ph-7pcx
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle has a stored XSS risk in admin live log
PKSA-bqpz-gp92-yhbn CVE-2025-26529 GHSA-wr88-x8cm-7cgq
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle allows reflected XSS via question bank filter
PKSA-jzzd-hb2w-cy7z CVE-2025-26530 GHSA-4w32-c9g7-27qx
Affected version: >=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle has an IDOR in badges allows disabling of arbitrary badges
PKSA-6qw2-86sq-nszm CVE-2025-26531 GHSA-g88w-v4cq-qgcp
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle allows teachers to evade trusttext config when restoring glossary entries
PKSA-2t2j-mwq1-3v3v CVE-2025-26532 GHSA-cw24-f6fq-7j9v
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle has a SQL injection risk in course search module list filter
PKSA-6vk5-pjgr-yssn CVE-2025-26533 GHSA-rg56-94j7-hjx9
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[MEDIUM] Moodle leaks user names
PKSA-rd93-2zrq-9hms CVE-2024-48896 GHSA-cq5f-wv7p-5gfc
Affected version: >=4.4.0,<4.4.4|>=4.3.0,<4.3.8|>=4.2.0,<4.2.11|<4.1.14
Reported by:
GitHub -
[MEDIUM] moodle: IDOR in edit/delete RSS feed
PKSA-hhpt-69ky-ds9w CVE-2024-48897 GHSA-x3x9-349x-2485
Affected version: >=4.4.0,<4.4.4|>=4.3.0,<4.3.8|>=4.2.0,<4.2.11|<4.1.14
Reported by:
GitHub -
[MEDIUM] moodle: Some users can delete audiences of other reports
PKSA-sbzz-bvbt-7fqv CVE-2024-48898 GHSA-fjq9-452g-jg3q
Affected version: >=4.4.0,<4.4.4|>=4.3.0,<4.3.8|>=4.2.0,<4.2.11|<4.1.14
Reported by:
GitHub -
[MEDIUM] moodle: IDOR when fetching report schedules
PKSA-b9zz-v9f7-k18v CVE-2024-48901 GHSA-mg54-p2wj-5ph7
Affected version: >=4.4.0,<4.4.4|>=4.3.0,<4.3.8|>=4.2.0,<4.2.11|<4.1.14
Reported by:
GitHub