High severityOSV Advisory· Published Feb 3, 2026· Updated Feb 26, 2026
Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor
CVE-2025-67850
Description
A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
moodle/moodlePackagist | < 4.1.22 | 4.1.22 |
moodle/moodlePackagist | >= 4.4.0-beta, < 4.4.12 | 4.4.12 |
moodle/moodlePackagist | >= 4.5.0-beta, < 4.5.8 | 4.5.8 |
moodle/moodlePackagist | >= 5.0.0-beta, < 5.0.4 | 5.0.4 |
moodle/moodlePackagist | >= 5.1.0-beta, < 5.1.1 | 5.1.1 |
Affected products
3- osv-coords2 versions
< 4.1.22+ 1 more
- (no CPE)range: < 4.1.22
- (no CPE)range: < 4.1.22
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-6mmv-f6c6-v6q8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-67850ghsaADVISORY
- access.redhat.com/security/cve/CVE-2025-67850ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/moodle/moodle/commit/c85f153068a717a3b28bc122e75154bac99e67e1ghsaWEB
- moodle.org/mod/forum/discuss.phpghsaWEB
News mentions
0No linked articles in our index yet.