CVE-2025-67849 HIGH

CVE-2025-67849: Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses

Weakness CWE-79 · XSS
Published February 3, 2026
Last update February 26, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 26, 2026 Record updated