CVE-2025-67850

HIGH 7.3

Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor

CVSS Score

7.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor's arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions.

CWE	CWE-79
Published	Feb 3, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new high vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-67850 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2423838

Credits

Red Hat would like to thank Aleksey Solovev for reporting this issue.