CVE-2026-26046

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-26046

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26046.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-26046

Aliases

BIT-moodle-2026-26046

Downstream

UBUNTU-CVE-2026-26046

Published

2026-02-21T06:17:00.203Z

Modified

2026-04-10T05:40:55.887558Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.

References

Affected packages

Git / github.com/moodle/moodle

Affected ranges

Type

GIT

Repo

https://github.com/moodle/moodle

Events

Introduced

Fixed

6b4d33a98f43ac19f1a37952467c8fbc722d0bdb

Introduced

78e860178314c45441a21e0b99455400b8283d48

Fixed

e1c3872f65bf261ecfe3cf7d171f98580f209089

Introduced

eb47eff0719455a7e1f7a9805bc75dad3f6b3995

Fixed

ac802ad8043e957fc8d6b9dfba4bb60f20949959

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.5.9"
        },
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.0.5"
        },
        {
            "introduced": "5.1.0"
        },
        {
            "fixed": "5.1.2"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.1

v2.1.0

v2.2.0

v2.2.0-beta

v2.2.0-rc1

v2.3.0

v2.3.0-beta

v2.3.0-rc1

v2.4.0

v2.4.0-beta

v2.4.0-rc1

v2.5.0

v2.5.0-beta

v2.5.0-rc1

v2.6.0

v2.6.0-beta

v2.6.0-rc1

v2.7.0

v2.7.0-beta

v2.7.0-rc1

v2.7.0-rc2

v2.8.0

v2.8.0-beta

v2.8.0-rc1

v2.8.0-rc2

v2.9.0

v2.9.0-beta

v2.9.0-rc1

v2.9.0-rc2

v3.*

v3.0.0

v3.0.0-beta

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.1.0

v3.1.0-beta

v3.1.0-rc1

v3.1.0-rc2

v3.2.0

v3.2.0-beta

v3.2.0-rc1

v3.2.0-rc2

v3.2.0-rc3

v3.2.0-rc4

v3.2.0-rc5

v3.3.0

v3.3.0-beta

v3.3.0-rc1

v3.3.0-rc2

v3.3.0-rc3

v3.4.0

v3.4.0-beta

v3.4.0-rc1

v3.4.0-rc2

v3.4.0-rc3

v3.5.0

v3.5.0-beta

v3.5.0-rc1

v3.6.0

v3.6.0-beta

v3.6.0-rc1

v3.6.0-rc2

v3.6.0-rc3

v3.7.0

v3.7.0-beta

v3.7.0-rc1

v3.7.0-rc2

v3.8.0

v3.8.0-beta

v3.8.0-rc1

v3.9.0

v3.9.0-beta

v3.9.0-rc1

v3.9.0-rc2

v3.9.0-rc3

v4.*

v4.0.0

v4.0.0-beta

v4.0.0-rc1

v4.0.0-rc2

v4.0.0-rc3

v4.0.0-rc4

v4.1.0

v4.1.0-beta

v4.1.0-rc1

v4.1.0-rc2

v4.1.0-rc3

v4.2.0

v4.2.0-beta

v4.2.0-rc1

v4.2.0-rc2

v4.3.0

v4.3.0-beta

v4.3.0-rc1

v4.3.0-rc2

v4.4.0

v4.4.0-beta

v4.4.0-rc1

v4.4.0-rc2

v4.5.0

v4.5.0-beta

v4.5.0-rc1

v4.5.0-rc2

v4.5.1

v4.5.2

v4.5.3

v4.5.4

v4.5.5

v4.5.6

v4.5.7

v4.5.8

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0

v5.1.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26046.json"