CVE-2025-67851 MEDIUM

CVE-2025-67851: Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

Weakness CWE-1236
Published February 3, 2026
Last update February 3, 2026

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

What the vulnerability does

01Description

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

Key dates

02Disclosure timeline

February 3, 2026 CVE published
February 3, 2026 Record updated