Moodle
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Moodle.
By the Year
In 2025 there have been 36 vulnerabilities in Moodle with an average score of 5.6 out of ten. Last year, in 2024 Moodle had 54 security vulnerabilities published. Right now, Moodle is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.42
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 36 | 5.59 |
| 2024 | 54 | 6.01 |
| 2023 | 45 | 6.34 |
| 2022 | 46 | 6.40 |
| 2021 | 21 | 5.94 |
| 2020 | 20 | 6.58 |
| 2019 | 17 | 5.98 |
| 2018 | 17 | 6.58 |
It may take a day or so for new Moodle vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Moodle Security Vulnerabilities
Moodle Timed Assignment BYPASS: Students Gain Extra Time
CVE-2025-62401
5.4 - Medium
- October 23, 2025
An issue in Moodles timed assignment feature allowed students to bypass the time restriction, potentially giving them more time than allowed to complete an assessment.
AuthZ
Moodle Permission Bypass in Cohort Search Web Service
CVE-2025-62395
4.3 - Medium
- October 23, 2025
A flaw in the cohort search web service allowed users with permissions in lower contexts to access cohort information from the system context, revealing restricted administrative data.
Authorization
Moodle Hidden Group Info Disclosure via Calendar Event Permissions
CVE-2025-62400
4.3 - Medium
- October 23, 2025
Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information.
Information Disclosure
Moodle Mobile/Web Auth Brute-Force
CVE-2025-62399
7.5 - High
- October 23, 2025
Moodles mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
Improper Restriction of Excessive Authentication Attempts
Moodle Authentication flaw allows MFA bypass for valid users
CVE-2025-62398
5.4 - Medium
- October 23, 2025
A serious authentication flaw allowed attackers with valid credentials to bypass multi-factor authentication under certain conditions, potentially compromising user accounts.
authentification
Moodle Router response to invalid course IDs discloses valid IDs
CVE-2025-62397
5.3 - Medium
- October 23, 2025
The routers inconsistent response to invalid course IDs allowed attackers to infer which course IDs exist, potentially aiding reconnaissance.
Generation of Error Message Containing Sensitive Information
Moodle Router Error Handling Exposes Dir Listings (CVE202562396)
CVE-2025-62396
5.3 - Medium
- October 23, 2025
An error-handling issue in the Moodle router (r.php) could cause the application to display internal directory listings when specific HTTP headers were not properly configured.
Exposure of Information Through Directory Listing
Moodle Enrolment Check Bypass on Quiz Notifs
CVE-2025-62394
4.3 - Medium
- October 23, 2025
Moodle failed to verify enrolment status correctly when sending quiz notifications. As a result, suspended or inactive users might receive quiz-related messages, leaking limited course information.
AuthZ
Moodle Auth Bypass in Course Overview Output
CVE-2025-62393
4.3 - Medium
- October 23, 2025
A flaw was found in the course overview output function where user access permissions were not fully enforced. This could allow unauthorized users to view information about courses they should not have access to, potentially exposing limited course details.
Authorization
SessFix in Moodle 3.x-3.11.18 via unauth sesskey in OAuth2
CVE-2025-53021
- June 24, 2025
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Session Fixation
Moodle Brickfield CSRF in Analysis Request Action
CVE-2025-3638
- April 25, 2025
A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.
Moodle Auth Bypass: Unauthorized Cohort Data Access
CVE-2025-3647
- April 25, 2025
A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.
Moodle Messaging WS Info Disclosure via Cap Check Bypass
CVE-2025-3645
- April 25, 2025
A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.
Moodle RBAC Bypass: Unauthorized Deletion of Course Sections
CVE-2025-3644
- April 25, 2025
A flaw was found in Moodle. Additional checks were required to prevent users from deleting course sections they did not have permission to modify.
Moodle Policy Tool Return URL Reflected XSS
CVE-2025-3643
- April 25, 2025
A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.
Moodle RCE via EQUELLA Repository for Teachers/Managers
CVE-2025-3642
- April 25, 2025
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.
Moodle Dropbox RCE (CVE-2025-3641)
CVE-2025-3641
- April 25, 2025
A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.
Moodle Access Control Bypass: User Data Leak via Capability Checks
CVE-2025-3640
- April 25, 2025
A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.
Moodle mod_data CSRF token leak via URLs on edit/delete pages
CVE-2025-3637
- April 25, 2025
A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.
Moodle RSS Feed Auth Bypass via Cap Check Flaw
CVE-2025-3636
- April 25, 2025
A flaw was found in Moodle. This vulnerability allows unauthorized users to access and view RSS feeds due to insufficient capability checks.
Moodle CSRF Enables Tour Duplication Without Auth
CVE-2025-3635
- April 25, 2025
A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks.
Moodle Assignment Submission De-anonymization via Search
CVE-2025-3628
- April 25, 2025
A flaw has was found in Moodle where anonymous assignment submissions can be de-anonymized via search, revealing student identities.
Moodle 2FA Bypass Exposes Sensitive Student Info
CVE-2025-3627
- April 25, 2025
A security vulnerability was discovered in Moodle that allows some users to access sensitive information about other students before they finish verifying their identities using two-factor authentication (2FA).
Moodle 2FA Bypass via Sensitive Data Leakage
CVE-2025-3625
- April 25, 2025
A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).
Moodle Grade Report PLE via missing capability checks
CVE-2025-32045
- April 25, 2025
A flaw has been identified in Moodle where insufficient capability checks in certain grade reports allowed users without the necessary permissions to access hidden grades.
Moodle: Unauth. API Stack Trace Disclosure (CVE-2025-32044)
CVE-2025-32044
- April 25, 2025
A flaw has been identified in Moodle where, on certain sites, unauthenticated users could retrieve sensitive user dataincluding names, contact information, and hashed passwordsvia stack traces returned by specific API calls. Sites with PHP configured with zend.exception_ignore_args = 1 in the php.ini file are not affected by this vulnerability.
Moodle Enrollment Bypass: Self-Enrollment Skips 2FA
CVE-2025-3634
- April 25, 2025
A security vulnerability was discovered in Moodle that allows students to enroll themselves in courses without completing all the necessary safety checks. Specifically, users can sign up for courses prematurely, even if they haven't finished two-step verification processes.
SQLi in Moodle Course Search Module List Filter
CVE-2025-26533
9.8 - Critical
- February 24, 2025
An SQL injection risk was identified in the module list filter within course search.
Glossary Entry Restore TrustText Failure (CVE-2025-26532)
CVE-2025-26532
4.3 - Medium
- February 24, 2025
Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.
WordPress BadgeOS: Missing Capability Check Lets Users Disable Unowned Badges
CVE-2025-26531
5.3 - Medium
- February 24, 2025
Insufficient capability checks made it possible to disable badges a user does not have permission to access.
Stored XSS via unsanitized Admin Live Log
CVE-2025-26529
6.1 - Medium
- February 24, 2025
Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.
Moodle ddimageortext XSS in DragandDrop onto Image question type
CVE-2025-26528
6.1 - Medium
- February 24, 2025
The drag-and-drop onto image (ddimageortext) question type required additional sanitizing to prevent a stored XSS risk.
WordPress Tags Unintended Disclosure via Tag Search & Tags Block
CVE-2025-26527
- February 24, 2025
Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.
Moodle Feedback SEGBM mode bypasses permission checks
CVE-2025-26526
- February 24, 2025
Separate Groups mode restrictions were not factored into permission checks before allowing viewing or deletion of responses in Feedback activities.
Arbitrary File Read via Insufficient Sanitizing in PDFTeX TeX Notation Filter
CVE-2025-26525
- February 24, 2025
Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).
Reflected XSS in Question Bank Filter
CVE-2025-26530
6.1 - Medium
- February 24, 2025
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
Moodle Dynamic Tables Capability Check Bypass (Data Exposure)
CVE-2024-45689
- November 20, 2024
A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
AuthZ
Moodle OAuth2 Account Deletion Authorization Bypass
CVE-2024-45690
- November 20, 2024
A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.
Moodle Password Bypass in Lesson Activity via Loose Compare
CVE-2024-45691
- November 20, 2024
A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.
Moodle Badge List Access Control Bypass CVE-2024-48899
CVE-2024-48899
- November 20, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.
Insecure Direct Object Reference / IDOR
Moodle Messaging Component Information Disclosure Vulnerability
CVE-2024-48896
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
Generation of Error Message Containing Sensitive Information
Moodle RSS Feed Access Control Vulnerability
CVE-2024-48897
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only edit or delete RSS feeds that they have permission to modify.
AuthZ
Moodle: Privilege Escalation in Audience Deletion
CVE-2024-48898
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Users with access to delete audiences from reports could delete audiences from other reports that they do not have permission to delete from.
AuthZ
Moodle Report Schedule Access Control Vulnerability
CVE-2024-48901
4.3 - Medium
- November 18, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users can only access the schedule of a report if they have permission to edit that report.
AuthZ
Moodle Badge Recipient Permission Bypass
CVE-2024-48900
- November 13, 2024
A vulnerability was found in Moodle. Additional checks are required to ensure users with permission to view badge recipients can only access lists of those they are intended to have access to.
Information Disclosure
Moodle H5P Reflected Cross-Site Scripting (XSS) Vulnerability
CVE-2024-43439
6.1 - Medium
- November 11, 2024
A flaw was found in moodle. H5P error messages require additional sanitizing to prevent a reflected cross-site scripting (XSS) risk.
Moodle Matrix Integration: Improper Access Control for Suspended Users
CVE-2024-43433
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. Matrix room membership and power levels are incorrectly applied and revoked for suspended Moodle users.
Moodle Backup XSS Vulnerability
CVE-2024-43437
6.1 - Medium
- November 11, 2024
A flaw was found in moodle. Insufficient sanitizing of data when performing a restore could result in a cross-site scripting (XSS) risk from malicious backup files.
Moodle cURL Wrapper HTTP Authorization Header Leak Vulnerability
CVE-2024-43432
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
Moodle Quiz External API Insufficient Access Control Vulnerability
CVE-2024-43430
5.3 - Medium
- November 11, 2024
A flaw was found in moodle. External API access to Quiz can override contained insufficient access control.
