Moodle Security Vulnerabilities (CVEs)

This vulnerability allows authenticated Moodle users to craft malicious TeX formulas that consume excessive server resources when rendered, potentiall...

This vulnerability in Moodle's backup restore functionality allows authenticated privileged users to upload specially crafted backup files that bypass...

This vulnerability in Moodle exposes user identifiers in URLs during anonymous assignment submissions, compromising intended anonymity. Attackers can ...

This cross-site scripting vulnerability in Moodle allows attackers to inject malicious scripts through AI prompt responses. When users view compromise...

This Cross-Site Scripting (XSS) vulnerability in Moodle allows attackers to inject malicious JavaScript code into arithmetic expression fields in the ...

A formula injection vulnerability in Moodle allows remote attackers to embed malicious formulas in exported data. When users export this data and open...

An open redirect vulnerability in Moodle's OAuth login flow allows attackers to redirect authenticated users to malicious websites. This affects all M...

This vulnerability in Moodle allows remote attackers to bypass rate limiting on confirmation email services, enabling brute-force attacks against user...

A reflected Cross-Site Scripting (XSS) vulnerability in Moodle's policy tool return URL allows attackers to inject malicious scripts through specially...

An authorization logic flaw in Moodle's badge awarding system allows users to obtain badges without proper role verification. This affects all Moodle ...

This authentication bypass vulnerability in Moodle allows suspended users to authenticate through the LTI Provider, enabling unauthorized access to th...

This vulnerability allows attackers with access to Moodle's restore interface to execute arbitrary code on the server due to insufficient input valida...

Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in calendar event subtitles that allows attackers to inject malicious JavaScrip...

This vulnerability allows attackers to enumerate valid course IDs on a router by observing inconsistent responses to invalid IDs. This information dis...

This authentication bypass vulnerability allows attackers with valid credentials to circumvent multi-factor authentication under specific conditions, ...

CVE-2025-62399 allows attackers to perform brute-force attacks against Moodle's mobile and web service authentication endpoints due to insufficient ra...

A vulnerability in Moodle's timed assignment feature allows students to bypass time restrictions, potentially gaining extra time to complete assessmen...

This vulnerability allows unauthorized users to view limited course information they shouldn't have access to due to insufficient permission checks in...

Moodle fails to properly verify user enrolment status when sending quiz notifications, allowing suspended or inactive users to receive quiz-related me...

This vulnerability allows users with lower-level permissions to access cohort information from the system context, potentially exposing restricted adm...

An error-handling vulnerability in Moodle's router component (r.php) can expose internal directory listings when specific HTTP headers are misconfigur...

A reflected cross-site scripting (XSS) vulnerability exists in Moodle's policy tool where insufficient sanitization of return URLs allows attackers to...

This vulnerability in Moodle allows users to bypass authorization checks in a messaging web service, enabling them to view other users' names and onli...

This vulnerability in Moodle allows unauthorized users to access RSS feeds due to insufficient permission checks. Any Moodle instance with RSS feeds e...

This CSRF vulnerability in Moodle's Brickfield tool allows attackers to trick authenticated users into unknowingly submitting analysis requests. Any M...

A remote code execution vulnerability exists in Moodle's Dropbox repository feature, allowing authenticated teachers and managers to execute arbitrary...

CVE-2025-32044 is an information disclosure vulnerability in Moodle where unauthenticated attackers can retrieve sensitive user data including names, ...

A Moodle vulnerability allows some users to access sensitive student information before identity verification via 2FA is completed. This affects Moodl...

This SQL injection vulnerability in Moodle's course search module filter allows attackers to execute arbitrary SQL commands on the database. It affect...

This vulnerability allows users to bypass Separate Groups mode restrictions in Moodle's Feedback activities, enabling unauthorized viewing or deletion...

This stored cross-site scripting (XSS) vulnerability in Moodle's site administration live log allows attackers to inject malicious scripts that execut...

This reflected cross-site scripting (XSS) vulnerability in Moodle's question bank filter allows attackers to inject malicious scripts into web pages v...

This vulnerability in Moodle allows users to delete OAuth2-linked accounts without proper authorization checks. It affects Moodle instances with OAuth...

This vulnerability in Moodle allows authenticated users to view course badge lists for courses they shouldn't have access to. It's an improper access ...

This CVE describes an improper authorization vulnerability in Moodle where users can edit or delete RSS feeds they shouldn't have permission to modify...

This CVE describes an improper authorization vulnerability in Moodle where users can access report schedules without proper edit permissions. This aff...

This vulnerability in Moodle allows attackers to inject malicious scripts into H5P error messages, which are then reflected back to users. It affects ...

This vulnerability in Moodle's cURL wrapper could leak HTTP authorization credentials during redirects. When Moodle follows redirects, it strips HTTPA...

This vulnerability in Moodle allows users with course-level glossary restoration permissions to improperly restore glossaries into the global site glo...

This vulnerability in Moodle allows unauthorized users to view hidden user profile fields through gradebook reports. Users without the 'view hidden us...

This CSRF vulnerability in Moodle's Feedback module allows attackers to trick authenticated users into unknowingly sending bulk messages to non-respon...

This vulnerability allows authenticated users with bulk messaging permissions to send messages to users who should not be visible in activity non-resp...

This vulnerability in Moodle allows authenticated users with question editing permissions to execute arbitrary code through calculated question types....

This CVE addresses a cache poisoning vulnerability in Moodle that could allow attackers to manipulate locally cached data. The vulnerability affects M...

Virtual Programming Lab for Moodle up to version 4.2.3 contains a cross-site scripting (XSS) vulnerability in the vplide.js component. This allows att...

This vulnerability allows an attacker to use a QR login key interchangeably with an auto-login key, potentially bypassing authentication mechanisms. I...

This vulnerability allows attackers to inject malicious scripts into calendar event titles, which execute when users view the deletion prompt. This st...

The cURL wrapper in Moodle fails to strip HTTP authorization headers when following redirects, potentially exposing authentication credentials to thir...

This vulnerability allows a Moodle user with specific permissions to execute local file includes in misconfigured shared hosting environments. Attacke...

This vulnerability allows a Moodle user with wiki restore permissions and direct server access to execute local file includes in misconfigured shared ...