CVE-2026-26046
Published: 21 February 2026
Summary
CVE-2026-26046 is a high-severity OS Command Injection (CWE-78) vulnerability in Moodle Moodle. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2026-26046 is a command injection vulnerability (CWE-78) in the Moodle TeX filter administrative setting due to insufficient sanitization of configuration input. It affects Moodle sites where the TeX filter is enabled and ImageMagick is installed. Published on 2026-02-21, the vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires administrative privileges on the targeted Moodle instance. An attacker with admin access can submit a maliciously crafted setting value, resulting in unintended system command execution. Successful exploitation could compromise the entire Moodle server, enabling high-impact confidentiality, integrity, and availability violations.
Red Hat security advisories provide further details, including at https://access.redhat.com/security/cve/CVE-2026-26046 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2440903. Security practitioners should review these resources for patch availability and recommended mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7389
Vulnerability details
A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by…
more
an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-78) in public-facing Moodle admin settings directly enables OS command execution via Unix shell after obtaining admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of all configuration input to the TeX filter setting, directly blocking the crafted values that trigger command injection via ImageMagick.
Restricts the ability to modify the TeX filter administrative setting to only authorized and vetted change processes, reducing the window for an admin to introduce an unsanitized malicious value.
Disables the TeX filter or removes ImageMagick when the feature is not required, eliminating the attack surface that allows the unsanitized configuration value to reach a system command.