VYPR
Moderate severityOSV Advisory· Published Feb 3, 2026· Updated Feb 3, 2026

Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export

CVE-2025-67851

Description

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
moodle/moodlePackagist
< 4.1.224.1.22
moodle/moodlePackagist
>= 4.4.0-beta, < 4.4.124.4.12
moodle/moodlePackagist
>= 4.5.0-beta, < 4.5.84.5.8
moodle/moodlePackagist
>= 5.0.0-beta, < 5.0.45.0.4
moodle/moodlePackagist
>= 5.1.0-beta, < 5.1.15.1.1

Affected products

3

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.