CVE-2025-67850 HIGH

CVE-2025-67850: Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor

Weakness CWE-79 · XSS
Published February 3, 2026
Last update February 26, 2026

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 26, 2026 Record updated