CVE-2025-26530
Published: 24 February 2025
Summary
CVE-2025-26530 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Moodle Moodle. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of user inputs to the question bank filter, addressing the insufficient sanitization that enables reflected XSS payloads.
Requires filtering of information outputs to prevent reflection of unsanitized malicious inputs as executable scripts in the Moodle question bank.
Ensures timely identification, reporting, and correction of the specific flaw via the available Moodle patch (MDL-84146), mitigating the XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The reflected XSS vulnerability in the publicly accessible Moodle question bank filter directly enables T1190 (Exploit Public-Facing Application) by allowing unauthenticated attackers to craft malicious URLs that execute scripts in a victim's browser upon interaction, leading to high-impact effects with changed scope.
NVD Description
The question bank filter required additional sanitizing to prevent a reflected XSS risk.
Deeper analysisAI
CVE-2025-26530 is a reflected cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the question bank filter in Moodle due to insufficient sanitizing of inputs. Published on 2025-02-24, it carries a CVSS v3.1 base score of 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity with network accessibility but requiring high attack complexity and user interaction.
The vulnerability can be exploited by unauthenticated attackers over the network who craft malicious payloads targeting the question bank filter. Exploitation requires a user, such as an authenticated Moodle user or administrator, to interact with a specially crafted link or input, such as clicking a malicious URL. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and denial of availability, with a changed scope that potentially affects the broader Moodle environment.
Moodle advisories reference a patch in git commit MDL-84146, available via the project's repository, which adds necessary sanitization to the question bank filter. Additional details are discussed in the Moodle forum thread at https://moodle.org/mod/forum/discuss.php?d=466146.
Details
- CWE(s)