CVE-2025-67851

Medium

Published: 03 February 2026

Published

03 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

EPSS Score 0.0006 17.6th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67851 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Moodle Moodle. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

Formula injection in exported Moodle data creates malicious files (T1204.002) whose opening triggers arbitrary command execution via spreadsheet formula evaluation (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas…

to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

Deeper analysisAI

CVE-2025-67851 is a formula injection vulnerability in Moodle, where data fields are exported without proper escaping. This flaw allows malicious data to be injected, which, when the exported file is opened in a spreadsheet application, can trigger the execution of arbitrary formulas. The vulnerability is rated with a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L) and is associated with CWE-1236. It was published on 2026-02-03.

A remote attacker with low privileges can exploit this vulnerability by submitting malicious data into Moodle. Exploitation requires local access to export the data and subsequent user interaction to open the exported file in a spreadsheet program. Successful exploitation enables arbitrary formula execution within the spreadsheet, resulting in low confidentiality impact, high integrity impact through compromised data integrity, and low availability impact from unintended operations.

Mitigation details and patches are documented in advisories available at https://access.redhat.com/security/cve/CVE-2025-67851, https://bugzilla.redhat.com/show_bug.cgi?id=2423841, and https://moodle.org/mod/forum/discuss.php?d=471301.

Details

CWE(s): CWE-1236

Affected Products

moodle

5.1.0 · ≤ 4.1.22 · 4.4.0 — 4.4.11 · 4.5.0 — 4.5.8

CVEs Like This One

CVE-2025-26530Same product: Moodle Moodle

CVE-2025-67848Same product: Moodle Moodle

CVE-2026-26045Same product: Moodle Moodle

CVE-2025-26525Same product: Moodle Moodle

CVE-2025-67850Same product: Moodle Moodle

CVE-2026-26046Same product: Moodle Moodle

CVE-2025-26533Same product: Moodle Moodle

CVE-2021-47857Same product: Moodle Moodle

CVE-2025-67856Same product: Moodle Moodle

CVE-2025-26529Same product: Moodle Moodle

References

https://access.redhat.com/security/cve/CVE-2025-67851
Third Party Advisory · patrick@puiterwijk.org
https://bugzilla.redhat.com/show_bug.cgi?id=2423841
Issue Tracking, Third Party Advisory · patrick@puiterwijk.org
https://moodle.org/mod/forum/discuss.php?d=471301
Vendor Advisory · patrick@puiterwijk.org