Moodle Moodle
312 CVEs affecting Moodle Moodle. Latest disclosed: 2026-05-10. Critical: 1, High: 10.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-2641 | Critical | 9.8 | 2017-03-26 | In Moodle 2.x and 3.x, SQL injection can occur via user preferences. |
CVE-2016-3734 | High | 8.8 | 2017-04-20 | Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and ear… |
CVE-2016-9187 | High | 8.8 | 2016-11-04 | Unrestricted file upload vulnerability in the double extension support in the "image" module in Moodle 3.1.2 allows remote authenticated users to execute arbit… |
CVE-2016-9186 | High | 8.8 | 2016-11-04 | Unrestricted file upload vulnerability in the "legacy course files" and "file manager" modules in Moodle 3.1.2 allows remote authenticated users to execute arb… |
CVE-2016-2157 | High | 8.8 | 2016-05-22 | Cross-site request forgery (CSRF) vulnerability in mod/assign/adminmanageplugins.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x… |
CVE-2015-5338 | High | 8.8 | 2016-02-22 | Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x be… |
CVE-2016-7919 | High | 7.5 | 2016-10-28 | Moodle 3.1.2 allows remote attackers to obtain sensitive information via unspecified vectors, related to a "SQL Injection" issue affecting the Administration p… |
CVE-2015-5267 | High | 7.5 | 2016-02-22 | lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 relies on the PHP mt_rand function to implement the… |
CVE-2015-3272 | High | 7.4 | 2016-02-22 | Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before… |
CVE-2016-7038 | High | 7.3 | 2017-01-20 | In Moodle 2.x and 3.x, web service tokens are not invalidated when the user password is changed or forced to be changed. |
CVE-2021-47857 | High | 7.2 | 2026-01-21 | Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts… |
CVE-2015-5332 | Medium | 6.8 | 2016-02-22 | Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role a… |
CVE-2015-5266 | Medium | 6.8 | 2016-02-22 | The enrol_meta_sync function in enrol/meta/locallib.php in Moodle through 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8, and 2.9.x before 2.9.2 allows remote… |
CVE-2019-10154 | Medium | 6.5 | 2019-06-26 | A flaw was found in Moodle before versions 3.7, 3.6.4. A web service fetching messages was not restricted to the current user's conversations. |
CVE-2017-7532 | Medium | 6.5 | 2017-07-17 | In Moodle 3.x, course creators are able to change system default settings for courses. |
CVE-2017-2642 | Medium | 6.5 | 2017-07-17 | Moodle 3.x has user fullname disclosure on the user preferences page. |
CVE-2016-3729 | Medium | 6.5 | 2017-04-20 | The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to… |
CVE-2017-7489 | Medium | 6.3 | 2017-05-15 | In Moodle 2.x and 3.x, remote authenticated users can take ownership of arbitrary blogs by editing an external blog link. |
CVE-2022-50943 | Medium | 6.1 | 2026-05-10 | Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through t… |
CVE-2017-12156 | Medium | 6.1 | 2017-09-18 | Moodle 3.x has XSS in the contact form on the "non-respondents" page in non-anonymous feedback. |