Cyber Resilience

CVE-2025-26529

High

Published: 24 February 2025

Published
24 February 2025
Modified
08 August 2025
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0096 76.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26529 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-26529 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Moodle learning management system. The flaw occurs in the site administration live log, where description information displayed to administrators lacked sufficient sanitization, enabling a stored XSS risk. It carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) and was published on 2025-02-24.

Attackers can exploit this vulnerability remotely over the network without requiring authentication privileges (PR:N), though it demands high attack complexity (AC:H) and user interaction (UI:R), such as an administrator viewing the affected log. Successful exploitation changes scope (S:C) and can lead to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing attackers to execute arbitrary scripts in the victim's browser context.

Mitigation is provided through a patch in the Moodle Git repository, searchable under commit details for MDL-84145 at http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145. Additional discussion and context are available in the Moodle forum thread at https://moodle.org/mod/forum/discuss.php?d=466145.

EU & UK References

Vulnerability details

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing Moodle web app enables remote exploitation without auth (T1190) and arbitrary JavaScript execution in admin browser context (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67850Same product: Moodle Moodle
CVE-2021-47857Same product: Moodle Moodle
CVE-2025-26530Same product: Moodle Moodle
CVE-2025-67849Same product: Moodle Moodle
CVE-2025-26533Same product: Moodle Moodle
CVE-2025-67853Same product: Moodle Moodle
CVE-2025-26525Same product: Moodle Moodle
CVE-2026-26046Same product: Moodle Moodle
CVE-2026-26045Same product: Moodle Moodle
CVE-2025-67848Same product: Moodle Moodle

Affected Assets

moodle
moodle
4.1.0 — 4.1.16 · 4.3.0 — 4.3.10 · 4.4.0 — 4.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of sanitization in description information displayed in the site administration live log, preventing stored XSS execution.

prevent

Validates log inputs to block malicious script injection before storage, mitigating the root cause of the stored XSS vulnerability.

prevent

Ensures timely patching of the specific sanitization flaw as provided in the Moodle commit for MDL-84145.

References