Moodle Moodle is an open source Learning Platform

By the Year

In 2026 there have been 1 vulnerability in Moodle with an average score of 7.2 out of ten. Last year, in 2025 Moodle had 38 security vulnerabilities published. Right now, Moodle is on track to have less security vulnerabilities in 2026 than it did last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.61.

Recent Moodle Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2021-47857	Jan 21, 2026	Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event.	Moodle
CVE-2025-62401	Oct 23, 2025	Moodle Timed Assignment BYPASS: Students Gain Extra Time An issue in Moodles timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.	Moodle
CVE-2025-62395	Oct 23, 2025	Moodle Permission Bypass in Cohort Search Web Service A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.	Moodle
CVE-2025-62400	Oct 23, 2025	Moodle Hidden Group Info Disclosure via Calendar Event Permissions Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.	Moodle
CVE-2025-62399	Oct 23, 2025	Moodle Mobile/Web Auth Brute-Force Moodles mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.	Moodle
CVE-2025-62398	Oct 23, 2025	Moodle Authentication flaw allows MFA bypass for valid users A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.	Moodle
CVE-2025-62397	Oct 23, 2025	Moodle Router response to invalid course IDs discloses valid IDs The routers inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.	Moodle
CVE-2025-62396	Oct 23, 2025	Moodle Router Error Handling Exposes Dir Listings (CVE202562396) An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.	Moodle
CVE-2025-62394	Oct 23, 2025	Moodle Enrolment Check Bypass on Quiz Notifs Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.	Moodle
CVE-2025-62393	Oct 23, 2025	Moodle Auth Bypass in Course Overview Output A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.	Moodle