moodle/moodle Security Advisories for v4.5.0 (43)
-
[HIGH] Moodle has a Remote Code Execution risk via file restore
PKSA-fh6z-73jv-qwnd CVE-2026-26045 GHSA-ggxq-2mg9-8966
Affected version: <4.5.9|>=5.0.0-beta,<5.0.5|>=5.1.0-beta,<5.1.2
Reported by:
GitHub -
[MEDIUM] Moodle TeX formula editor is vulnerable to DoS through lack of execution time limits
PKSA-d5fc-2jw8-sm45 CVE-2026-26047 GHSA-cg8j-5cr2-568q
Affected version: <4.5.9|>=5.0.0-beta,<5.0.5|>=5.1.0-beta,<5.1.2
Reported by:
GitHub -
[LOW] Moodle Open Redirect vulnerability
PKSA-prf5-y5p2-ykmg CVE-2025-67852 GHSA-qv78-6gpp-hm68
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[HIGH] Moodle Affected by Improper Restriction of Excessive Authentication Attempts
PKSA-dz6d-pdgm-m472 CVE-2025-67853 GHSA-5cx4-w4fh-fr57
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[MEDIUM] Moodle vulnerable to Cross-site Scripting
PKSA-2j87-1r5d-n19k CVE-2025-67855 GHSA-vwhw-vp9v-q9c9
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[MEDIUM] Moodle has an authorization logic flaw
PKSA-xyd9-vffd-bswp CVE-2025-67856 GHSA-hcm6-q6pc-xfhm
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[MEDIUM] Moodle Inserts Sensitive Information Into Sent Data
PKSA-2wxn-vc4s-1dkz CVE-2025-67857 GHSA-8jrv-wx83-w3xj
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[HIGH] Moodle authentication bypass vulnerability
PKSA-d2w7-632f-6wy9 CVE-2025-67848 GHSA-j5jv-w5cw-j9ff
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[HIGH] Moodle Cross-site Scripting (XSS) vulnerability
PKSA-qhxz-6rtn-nzx7 CVE-2025-67849 GHSA-mhf6-pp52-8wqj
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[HIGH] Moodle vulnerable to Cross-site Scripting
PKSA-3g2p-wb92-w82j CVE-2025-67850 GHSA-6mmv-f6c6-v6q8
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[MEDIUM] Moodle formula injection vulnerability
PKSA-213q-p3b4-49zj CVE-2025-67851 GHSA-qfh6-h7j6-fvjv
Affected version: >=5.1.0-beta,<5.1.1|>=5.0.0-beta,<5.0.4|>=4.5.0-beta,<4.5.8|>=4.4.0-beta,<4.4.12|<4.1.22
Reported by:
GitHub -
[HIGH] Moodle affected by a code injection vulnerability
PKSA-41tm-5zq3-pfdc CVE-2025-67847 GHSA-xvmh-25jw-gmmm
Affected version: <4.1.22|>=4.2.0-beta,<4.4.12|>=4.5.0-beta,<4.5.8|>=5.0.0-beta,<5.0.4|>=5.1.0-beta,<5.1.1
Reported by:
GitHub -
[MEDIUM] Moodle's error handling leads to sensitive information disclosure
PKSA-s9t3-1mh7-mgx2 CVE-2025-62396 GHSA-c5cj-xp43-qcc3
Affected version: >=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle does not properly enforce MFA
PKSA-7pfx-c6p7-vmng CVE-2025-62398 GHSA-25wf-7x6c-wmpf
Affected version: >=4.4.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[HIGH] Moodle vulnerable to brute-force password guesses
PKSA-c2fh-btt6-h7g6 CVE-2025-62399 GHSA-m58f-9pvv-8mp2
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle exposed the names of hidden groups to users
PKSA-7bbm-2bcq-7hnc CVE-2025-62400 GHSA-422v-w6c5-vq42
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle has a time restriction bypass
PKSA-2154-mt94-234t CVE-2025-62401 GHSA-w29j-8phw-ffjf
Affected version: <4.1.21|>=4.2.0-beta,<4.4.11|>=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle sends quiz-related messages to inactive/suspended users
PKSA-618v-fp6m-xcm3 CVE-2025-62394 GHSA-8fcv-4qp9-pg32
Affected version: >=4.5.0-beta,<4.5.7|>=5.0.0-beta,<5.0.3
Reported by:
GitHub -
[MEDIUM] Moodle allows IDOR when accessing the cohorts report
PKSA-bctf-nmjy-ynnz CVE-2025-3647 GHSA-34g7-pg9j-pxgp
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle has a CSRF risk in user tours manager that allows tour duplication
PKSA-jwzm-wkm8-x9qp CVE-2025-3635 GHSA-88xj-97gf-7wpq
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle allows IDOR in RSS block, which allows access to additional RSS feeds
PKSA-848d-b4jc-r4z3 CVE-2025-3636 GHSA-chmf-m33p-ph8m
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle's mod_data edit/delete pages pass CSRF token in GET parameter
PKSA-fvfh-pt1s-3tmx CVE-2025-3637 GHSA-9vc3-vm42-fjhm
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[LOW] Moodle has a CSRF risk in Brickfield tool's analysis request action
PKSA-ysbw-mxpt-3wtx CVE-2025-3638 GHSA-m8qh-hx4c-h9hr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users
PKSA-mj2r-6dr9-xghp CVE-2025-3640 GHSA-6g5x-h5x7-q4mq
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[HIGH] Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository
PKSA-9jfc-tg5h-yj5b CVE-2025-3641 GHSA-c8v6-vxhf-wcrr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[HIGH] Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository
PKSA-8gd9-7npk-ym55 CVE-2025-3642 GHSA-m367-445c-2xqr
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has reflected Cross-site Scripting risk in policy tool
PKSA-8sfx-6cpy-w558 CVE-2025-3643 GHSA-hxgg-4qww-85ph
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle's AJAX section delete does not respect course_can_delete_section()
PKSA-g3j3-qxjm-3zq6 CVE-2025-3644 GHSA-cpm7-mv33-jwf8
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[MEDIUM] Moodle has an IDOR in messaging web service which allows access to some user details
PKSA-pr46-vm59-kn4p CVE-2025-3645 GHSA-pj96-xh2w-fgqx
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12|<4.1.18
Reported by:
GitHub -
[HIGH] Moodle allows unauthenticated REST API user data exposure
PKSA-x1y3-vqkr-6mks CVE-2025-32044 GHSA-345q-9jmq-g9q4
Affected version: >=4.5.0-beta,<4.5.3
Reported by:
GitHub -
[MEDIUM] Moodle shows hidden grades to users without permission on some grade reports
PKSA-d7vn-pt6b-zj2h CVE-2025-32045 GHSA-8m7c-hm88-2p97
Affected version: >=4.5.0-beta,<4.5.3|>=4.4.0-beta,<4.4.7|>=4.3.0-beta,<4.3.11|<4.1.17
Reported by:
GitHub -
[MEDIUM] Moodle makes some user data available before completing second factor with MFA enabled
PKSA-t8h6-8c8g-v64h CVE-2025-3627 GHSA-x45j-jq9q-gf3q
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12
Reported by:
GitHub -
[MEDIUM] Moodle reveals student identities through assignment submissions search on anonymous submissions
PKSA-fp9k-tq3g-3ygs CVE-2025-3628 GHSA-69m9-rprc-2x7g
Affected version: >=4.5.0-beta,<4.5.4
Reported by:
GitHub -
[MEDIUM] Moodle self enrollment available before completing second factor with MFA enabled
PKSA-wkvg-pjc4-695g CVE-2025-3634 GHSA-qhc7-xhc2-7p7w
Affected version: >=4.5.0-beta,<4.5.4|>=4.4.0-beta,<4.4.8|>=4.3.0-beta,<4.3.12
Reported by:
GitHub -
[HIGH] Moodle has an arbitrary file read risk through pdfTeX
PKSA-tbqf-gy2t-9549 CVE-2025-26525 GHSA-4hmr-39vp-xfrr
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[MEDIUM] Moodle's feedback response viewing and deletions did not respect Separate Groups mode
PKSA-1xfj-78ck-68m3 CVE-2025-26526 GHSA-pxg4-xjp7-w9c5
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[MEDIUM] Moodle's non-searchable tags can still be discovered on the tag search page and in the tags block
PKSA-zx9m-rnqj-bycy CVE-2025-26527 GHSA-5r85-6h7f-rg3r
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle has a stored XSS in ddimageortext question type
PKSA-19h3-t8f4-j9qr CVE-2025-26528 GHSA-h697-w4ph-7pcx
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle has a stored XSS risk in admin live log
PKSA-bqpz-gp92-yhbn CVE-2025-26529 GHSA-wr88-x8cm-7cgq
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle allows reflected XSS via question bank filter
PKSA-jzzd-hb2w-cy7z CVE-2025-26530 GHSA-4w32-c9g7-27qx
Affected version: >=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle has an IDOR in badges allows disabling of arbitrary badges
PKSA-6qw2-86sq-nszm CVE-2025-26531 GHSA-g88w-v4cq-qgcp
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[LOW] Moodle allows teachers to evade trusttext config when restoring glossary entries
PKSA-2t2j-mwq1-3v3v CVE-2025-26532 GHSA-cw24-f6fq-7j9v
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub -
[HIGH] Moodle has a SQL injection risk in course search module list filter
PKSA-6vk5-pjgr-yssn CVE-2025-26533 GHSA-rg56-94j7-hjx9
Affected version: <4.1.16|>=4.3.0-beta,<4.3.10|>=4.4.0-beta,<4.4.6|>=4.5.0-beta,<4.5.2
Reported by:
GitHub