CVE-2025-67851

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-67851
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67851.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-67851
Aliases
Downstream
Published
2026-02-03T11:15:55.367Z
Modified
2026-04-10T05:34:55.525683Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type
GIT
Repo
https://github.com/moodle/moodle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
df1157bb845eabedd31989d6a1a6e18f638ff890
Introduced
ee91c6536f99e1633e2245780c4fe7f47340ed66
Fixed
381b66b33a9b5f255d31f4508f26ad7c1a9af154
Introduced
52c0da7c647bd6ba8c5f61882d88959821a1fb41
Fixed
48c9857449da61ee1efa89e679c30efb58d72484
Introduced
78e860178314c45441a21e0b99455400b8283d48
Fixed
a5b3ac7e43c082e6cb24a6094810735a945ff32e
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
eb47eff0719455a7e1f7a9805bc75dad3f6b3995
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.1.22"
        },
        {
            "introduced": "4.4.0"
        },
        {
            "fixed": "4.4.11"
        },
        {
            "introduced": "4.5.0"
        },
        {
            "fixed": "4.5.8"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.1.0-NA"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.3.0
v2.*
v2.0.0
v2.0.0-rc1
v2.0.0-rc2
v2.0.1
v2.1.0
v2.2.0
v2.2.0-beta
v2.2.0-rc1
v2.3.0
v2.3.0-beta
v2.3.0-rc1
v2.4.0
v2.4.0-beta
v2.4.0-rc1
v2.5.0
v2.5.0-beta
v2.5.0-rc1
v2.6.0
v2.6.0-beta
v2.6.0-rc1
v2.7.0
v2.7.0-beta
v2.7.0-rc1
v2.7.0-rc2
v2.8.0
v2.8.0-beta
v2.8.0-rc1
v2.8.0-rc2
v2.9.0
v2.9.0-beta
v2.9.0-rc1
v2.9.0-rc2
v3.*
v3.0.0
v3.0.0-beta
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.1.0
v3.1.0-beta
v3.1.0-rc1
v3.1.0-rc2
v3.2.0
v3.2.0-beta
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.3.0
v3.3.0-beta
v3.3.0-rc1
v3.3.0-rc2
v3.3.0-rc3
v3.4.0
v3.4.0-beta
v3.4.0-rc1
v3.4.0-rc2
v3.4.0-rc3
v3.5.0
v3.5.0-beta
v3.5.0-rc1
v3.6.0
v3.6.0-beta
v3.6.0-rc1
v3.6.0-rc2
v3.6.0-rc3
v3.7.0
v3.7.0-beta
v3.7.0-rc1
v3.7.0-rc2
v3.8.0
v3.8.0-beta
v3.8.0-rc1
v3.9.0
v3.9.0-beta
v3.9.0-rc1
v3.9.0-rc2
v3.9.0-rc3
v4.*
v4.0.0
v4.0.0-beta
v4.0.0-rc1
v4.0.0-rc2
v4.0.0-rc3
v4.0.0-rc4
v4.1.0
v4.1.0-beta
v4.1.0-rc1
v4.1.0-rc2
v4.1.0-rc3
v4.1.1
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.1.14
v4.1.15
v4.1.16
v4.1.17
v4.1.18
v4.1.19
v4.1.2
v4.1.20
v4.1.21
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.4.0
v4.4.1
v4.4.10
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.5.4
v4.5.5
v4.5.6
v4.5.7
v5.*
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.1.0
v5.1.0-beta
v5.1.0-rc1
v5.1.0-rc2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67851.json"