CVE-2025-67851
Published: 03 February 2026
Summary
CVE-2025-67851 is a medium-severity Improper Neutralization of Formula Elements in a CSV File (CWE-1236) vulnerability in Moodle Moodle. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-67851 is a formula injection vulnerability in Moodle, where data fields are exported without proper escaping. This flaw allows malicious data to be injected, which, when the exported file is opened in a spreadsheet application, can trigger the execution of arbitrary formulas. The vulnerability is rated with a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L) and is associated with CWE-1236. It was published on 2026-02-03.
A remote attacker with low privileges can exploit this vulnerability by submitting malicious data into Moodle. Exploitation requires local access to export the data and subsequent user interaction to open the exported file in a spreadsheet program. Successful exploitation enables arbitrary formula execution within the spreadsheet, resulting in low confidentiality impact, high integrity impact through compromised data integrity, and low availability impact from unintended operations.
Mitigation details and patches are documented in advisories available at https://access.redhat.com/security/cve/CVE-2025-67851, https://bugzilla.redhat.com/show_bug.cgi?id=2423841, and https://moodle.org/mod/forum/discuss.php?d=471301.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206735
Vulnerability details
A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas…
more
to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Formula injection in exported Moodle data creates malicious files (T1204.002) whose opening triggers arbitrary command execution via spreadsheet formula evaluation (T1059.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of data fields before export so that formula metacharacters are rejected or escaped, directly blocking the injection vector in CVE-2025-67851.
Mandates filtering and encoding of organizational information on output (export), ensuring spreadsheet formulas cannot be injected unescaped as described in the CVE.
Requires verification of information integrity on exported artifacts, enabling detection of unauthorized formula content introduced by the Moodle flaw.