CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26533 – SQL injection risk in course search module list filter
https://notcve.org/view.php?id=CVE-2025-26533
24 Feb 2025 — An SQL injection risk was identified in the module list filter within course search. Se identificó un riesgo de inyección SQL en el filtro de la lista de módulos dentro de la búsqueda de cursos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84271 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26532 – Teachers can evade trusttext config when restoring glossary entries
https://notcve.org/view.php?id=CVE-2025-26532
24 Feb 2025 — Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003 • CWE-863: Incorrect Authorization •
CVSS: 3.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26531 – IDOR in badges allows disabling of arbitrary badges
https://notcve.org/view.php?id=CVE-2025-26531
24 Feb 2025 — Insufficient capability checks made it possible to disable badges a user does not have permission to access. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84239 • CWE-863: Incorrect Authorization •
CVSS: 8.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-26530 – Reflected XSS via question bank filter
https://notcve.org/view.php?id=CVE-2025-26530
24 Feb 2025 — The question bank filter required additional sanitizing to prevent a reflected XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84146 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26529 – Stored XSS risk in admin live log
https://notcve.org/view.php?id=CVE-2025-26529
24 Feb 2025 — Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.4EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26528 – Stored XSS in ddimageortext question type
https://notcve.org/view.php?id=CVE-2025-26528
24 Feb 2025 — The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82896 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26527 – Non-searchable tags can still be discovered on the tag search page and in the tags block
https://notcve.org/view.php?id=CVE-2025-26527
24 Feb 2025 — Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-83941 • CWE-1230: Exposure of Sensitive Information Through Metadata •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26526 – Feedback response viewing and deletions did not respect Separate Groups mode
https://notcve.org/view.php?id=CVE-2025-26526
24 Feb 2025 — Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79976 • CWE-863: Incorrect Authorization •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-26525 – Arbitrary file read risk through pdfTeX
https://notcve.org/view.php?id=CVE-2025-26525
24 Feb 2025 — Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed). • https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36633 – moodle-block_sitenews block_sitenews.php get_content cross-site request forgery
https://notcve.org/view.php?id=CVE-2020-36633
27 Dec 2022 — A vulnerability was found in moodle-block_sitenews 1.0. It has been classified as problematic. This affects the function get_content of the file block_sitenews.php. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. • https://github.com/eberhardt/moodle-block_sitenews/commit/cd18d8b1afe464ae6626832496f4e070bac4c58f • CWE-352: Cross-Site Request Forgery (CSRF) •