Medium
CVE-2022-50943
Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can injec…
Tag: Moodle
All CVEs associated with "Moodle". Page 1/5 • 580 CVEs.
About “Moodle”
A curated feed of “Moodle”-related CVEs appears below. We currently track 580 CVEs for this tag (all time). In the last 365 days, 26 were published. Average CVSS is 5.6 (all time; 6.4 over 365d), and 19% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), CWE-639 - Authorization Bypass Through User-Controlled Key, CWE-94 - Improper Control of Generation of Code ('Code Injection').
In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: moodle
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | Premier Support | EOL | LTS |
|---|---|---|---|---|---|
| 5.2 | 5.2.0 | ||||
| 5.1 | 5.1.4 | ||||
| 5.0 | 5.0.7 | Soon | |||
| 4.5 | 4.5.11 | LTS | |||
| 4.4 | 4.4.12 | Expired | |||
| 4.3 | 4.3.12 | Expired | |||
| 4.2 | 4.2.11 | Expired | |||
| 4.1 | 4.1.22 | Expired | LTS | ||
| 4.0 | 4.0.12 | Expired | |||
| 3.11 | 3.11.18 | Expired | |||
| 3.10 | 3.10.11 | Expired | |||
| 3.9 | 3.9.25 | Expired | LTS | ||
| 3.8 | 3.8.9 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Moodle” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-10
2026-03-18
Critical
CVE-2026-30884
mdjnelson/moodle-mod_customcert is a Moodle plugin for creating dynamically generated certificates with complete customization via the web browser. Prior to versions 4.4.9 and 5.0.3, a teacher who ho…
2026-02-21
Medium
CVE-2026-26047
A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to…
High
CVE-2026-26046
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled…
High
CVE-2026-26045
A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lea…
2026-02-03
Medium
CVE-2025-67857
A flaw was found in moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, comp…
Medium
CVE-2025-67856
A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This c…
High
CVE-2025-67853
A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess use…
Low
CVE-2025-67852
A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated.…
Medium
CVE-2025-67851
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, w…
High
CVE-2025-67850
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A re…
High
CVE-2025-67849
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages.…
High
CVE-2025-67848
A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI a…
2026-01-23
High
CVE-2025-67847
A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which lead…
2026-01-21
High
CVE-2021-47857
Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event wit…
2025-10-23
Medium
CVE-2025-62401
An issue in Moodle’s timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.
Medium
CVE-2025-62400
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.
High
CVE-2025-62399
Moodle’s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
Medium
CVE-2025-62396
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.
Medium
CVE-2025-62394
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.
2025-10-21
High
CVE-2025-60507
Cross site scripting vulnerability in Moodle GeniAI plugin (local_geniai) 2.3.6. An authenticated user with Teacher role can upload a PDF containing embedded JavaScript. The assistant outputs a direc…
Medium
CVE-2025-60511
Moodle OpenAI Chat Block plugin 3.0.1 (2025021700) suffers from an Insecure Direct Object Reference (IDOR) vulnerability due to insufficient validation of the blockId parameter in /blocks/openai_chat…
Medium
CVE-2025-60506
Moodle PDF Annotator plugin v1.5 release 9 allows stored cross-site scripting (XSS) via the Public Comments feature. An attacker with a low-privileged account (e.g., Student) can inject arbitrary Jav…
2025-06-24
Medium
CVE-2025-53021
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication a…
Medium
CVE-2025-34032
A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user in…
High
CVE-2025-34031
A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() functi…
2025-05-10
Medium
CVE-2025-4513
A vulnerability classified as problematic was found in Catalyst User Key Authentication Plugin 20220819 on Moodle. Affected by this vulnerability is an unknown functionality of the file /auth/userkey…
2025-04-25
Medium
CVE-2025-3647
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
Medium
CVE-2025-3645
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
Medium
CVE-2025-3644
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
Medium
CVE-2025-3643
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
High
CVE-2025-3642
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA re…
High
CVE-2025-3641
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox re…
Medium
CVE-2025-3640
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they di…
High
CVE-2025-3638
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.
Low
CVE-2025-3637
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occu…
Medium
CVE-2025-3636
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
Low
CVE-2025-3635
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attack…
Medium
CVE-2025-3628
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.
Medium
CVE-2025-3627
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentica…
High
CVE-2025-3625
A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had…
Medium
CVE-2025-32045
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.
High
CVE-2025-32044
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user data—including names, contact information, and hashed passwords—via stack traces retu…
Medium
CVE-2025-3634
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses…
2024-11-20
Medium
CVE-2024-48899
A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.
Medium
CVE-2024-45691
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic.…
High
CVE-2024-45690
A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.
Medium
CVE-2024-45689
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
2024-11-18
Medium
CVE-2024-48901
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
Medium
CVE-2024-48898
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
Medium
CVE-2024-48897
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
Medium
CVE-2024-48896
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messagin…
2024-11-13
Medium
CVE-2024-48900
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.
2024-11-11
Medium
CVE-2024-43439
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.
Medium
CVE-2024-43437
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.
Medium
CVE-2024-43435
A flaw was found in moodle. Insufficient capability checks make it possible for users with access to restore glossaries in courses to restore them into the global site glossary.
Medium
CVE-2024-43433
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
Medium
CVE-2024-43432
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header informat…
Medium
CVE-2024-43430
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
Medium
CVE-2024-43429
A flaw was found in moodle. Some hidden user profile fields are visible in gradebook reports, which could result in users without the "view hidden user fields" capability having access to the informa…
Low
CVE-2024-43427
A flaw was found in moodle. When creating an export of site administration presets, some sensitive secrets and keys are not being excluded from the export, which could result in them unintentionally…
2024-11-07
High
CVE-2024-43440
A flaw was found in moodle. A local file may include risks when restoring block backups.
High
CVE-2024-43434
The bulk message sending feature in Moodle's Feedback module's non-respondents report had an incorrect CSRF token check, leading to a CSRF vulnerability.
High
CVE-2024-43431
A vulnerability was found in Moodle. Insufficient capability checks made it possible to delete badges that a user does not have permission to access.
High
CVE-2024-43428
To address a cache poisoning risk in Moodle, additional validation for local storage was required.
High
CVE-2024-43425
A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions.
2024-06-24
Medium
CVE-2024-34312
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
2024-06-20
Medium
CVE-2024-37674
Cross Site Scripting vulnerability in Moodle CMS v3.10 allows a remote attacker to execute arbitrary code via the Field Name (name parameter) of a new activity.
2024-06-18
High
CVE-2024-38275
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
2024-05-31
Medium
CVE-2024-34005
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore database activity modules and direct access to the web s…
Medium
CVE-2024-34004
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore wiki modules and direct access to the web server outside…
Medium
CVE-2024-34003
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore workshop modules and direct access to the web server out…
Medium
CVE-2024-34002
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user with both access to restore feedback modules and direct access to the web server out…
2024-03-22
Medium
CVE-2024-28593
The Chat activity in Moodle 4.3.3 allows students to insert a potentially unwanted HTML A element or IMG element, or HTML content that leads to a performance degradation. NOTE: the vendor's Using_Cha…
2024-03-21
Medium
CVE-2024-29374
A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the "GET /?lang=" URL parameter.
2024-02-12
Medium
CVE-2024-1439
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attac…
2023-11-09
Medium
CVE-2023-5550
In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could uti…
2023-10-29
Medium
CVE-2023-46858
Moodle 4.3 allows /grade/report/grader/index.php?searchvalue= reflected XSS when logged in as a teacher. NOTE: the Moodle Security FAQ link states "Some forms of rich content [are] used by teachers t…
2023-07-01
Medium
CVE-2021-4399
The Edwiser Bridge plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including,2.0.6. This is due to missing or incorrect nonce validation on the user_data_synch…
2023-06-22
High
CVE-2023-35133
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3…
Medium
CVE-2023-35132
A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsuppor…
Medium
CVE-2023-35131
Content on the groups page required additional sanitizing to prevent an XSS risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8 and 3.11 to 3.11.14.
2023-05-16
Medium
CVE-2021-27131
Moodle 3.10.1 is vulnerable to persistent/stored cross-site scripting (XSS) due to the improper input sanitization on the "Additional HTML Section" via "Header and Footer" parameter in /admin/setting…
2023-05-02
Medium
CVE-2023-30944
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted reques…
Medium
CVE-2023-30943
The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP reques…
2023-03-24
Medium
CVE-2022-40208
In Moodle, insufficient limitations in some quiz web services made it possible for students to bypass sequential navigation during a quiz attempt.
2023-03-23
Critical
CVE-2023-28333
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
2023-03-06
Medium
CVE-2021-36403
In Moodle, in some circumstances, email notifications of messages could have the link back to the original message hidden by HTML, which may pose a phishing risk.
Medium
CVE-2021-36402
In Moodle, Users' names required additional sanitizing in the account confirmation email, to prevent a self-registration phishing risk.
Medium
CVE-2021-36401
In Moodle, ID numbers exported in HTML data formats required additional sanitizing to prevent a local stored XSS risk.
Medium
CVE-2021-36400
In Moodle, insufficient capability checks made it possible to remove other users' calendar URL subscriptions.
Medium
CVE-2021-36399
In Moodle, ID numbers displayed in the quiz override screens required additional sanitizing to prevent a stored XSS risk.
Medium
CVE-2021-36398
In moodle, ID numbers displayed in the web service token list required additional sanitizing to prevent a stored XSS risk.
Medium
CVE-2021-36397
In Moodle, insufficient capability checks meant message deletions were not limited to the current user.
High
CVE-2021-36396
In Moodle, insufficient redirect handling made it possible to blindly bypass cURL blocked hosts/allowed ports restrictions, resulting in a blind SSRF risk.
High
CVE-2021-36395
In Moodle, the file repository's URL parsing required additional recursion handling to mitigate the risk of recursion denial of service.
Critical
CVE-2021-36394
In Moodle, a remote code execution risk was identified in the Shibboleth authentication plugin.
Critical
CVE-2021-36393
In Moodle, an SQL injection risk was identified in the library fetching a user's recent courses.
Critical
CVE-2021-36392
In Moodle, an SQL injection risk was identified in the library fetching a user's enrolled courses.
2023-02-17
High
CVE-2023-23923
The vulnerability was found Moodle which exists due to insufficient limitations on the "start page" preference. A remote attacker can set that preference for another user. The vulnerability allows a…
Medium
CVE-2023-23922
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and ex…
Medium
CVE-2023-23921
The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in some returnurl parameters. A remote attacker can trick the victim to follow a specially craft…
2023-01-12
Medium
CVE-2022-39183
Moodle Plugin - SAML Auth may allow Open Redirect through unspecified vectors.
2022-12-27
Medium
CVE-2020-36633
A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-si…
2022-11-25
Critical
CVE-2022-45152
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not util…
2022-11-23
Medium
CVE-2022-45151
The stored-XSS vulnerability was discovered in Moodle which exists due to insufficient sanitization of user-supplied data in several "social" user profile fields. An attacker could inject and execute…
Medium
CVE-2022-45150
A reflected cross-site scripting vulnerability was discovered in Moodle. This flaw exists due to insufficient sanitization of user-supplied data in policy tool. An attacker can trick the victim to op…
Medium
CVE-2022-45149
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user's CSRF token was unnecessarily included in the URL when being…
2022-09-30
Critical
CVE-2022-40314
A remote code execution risk when restoring backup files originating from Moodle 1.9 was identified.
2022-09-13
Medium
CVE-2021-36568
In certain Moodle products after creating a course, it is possible to add in a arbitrary "Topic" a resource, in this case a "Database" with the type "Text" where its values "Field name" and "Field de…
2022-08-16
High
CVE-2020-1756
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, insufficient input escaping was applied to the PHP unit webrunner admin tool.
Medium
CVE-2020-1755
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, X-Forwarded-For headers could be used to spoof a user's IP, in order to bypass remote address checks.
High
CVE-2020-14322
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, yui_combo needed to limit the amount of files it can load to help mitigate the risk of denial of service.
High
CVE-2020-14321
In Moodle before 3.9.1, 3.8.4, 3.7.7 and 3.5.13, teachers of a course were able to assign themselves the manager role within that course.
Medium
CVE-2020-14320
In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.
2022-08-05
Medium
CVE-2020-1754
In Moodle before 3.8.2, 3.7.5, 3.6.9 and 3.5.11, users viewing the grade history report without the 'access all groups' capability were not restricted to viewing grades of users within their own grou…
Medium
CVE-2020-1691
In Moodle 3.8, messages required extra sanitizing before updating the conversation overview, to prevent the risk of stored cross-site scripting.
2022-07-25
Medium
CVE-2022-35653
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the vi…
Medium
CVE-2022-35652
An open redirect issue was found in Moodle due to improper sanitization of user-supplied data in mobile auto-login feature. A remote attacker can create a link that leads to a trusted website, howeve…
Medium
CVE-2022-35651
A stored XSS and blind SSRF vulnerability was found in Moodle, occurs due to insufficient sanitization of user-supplied data in the SCORM track details. A remote attacker can trick the victim to foll…