{"uuid": "20100033-b137-47a0-b98c-568c18deda5a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "Moodle security vulnerability May 2026", "description": "Insufficient CSRF token and capability checks were applied to an MNet admin setting.\nSeverity/Risk: \tMinor\nVersions affected: \t5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions\nVersions fixed: \t5.1.4, 5.0.7 and 4.5.11\nReported by: \tVincent Schneider\nCVE identifier: \tCVE-2026-7278\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84495\nTracker issue: \tMDL-84495 CSRF and missing capability check in admin/mnet/peers.php\n\n\nThe upstream AWS SDK for PHP library was upgraded, which included a security fix.\nSeverity/Risk: \tMinor\nVersions affected: \t5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions\nVersions fixed: \t5.1.4, 5.0.7 and 4.5.11\nReported by: \tMichael Hawkins\nCVE identifier: \tCVE-2025-14761\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87598\nTracker issue: \tMDL-87598 Upgrade AWS SDK for PHP including security fix (upstream)\n\n\n\nThe grade penalty rules reset function did not include the necessary token to prevent a CSRF risk.\nSeverity/Risk: \tMinor\nVersions affected: \t5.1 to 5.1.3 and 5.0 to 5.0.6\nVersions fixed: \t5.1.4 and 5.0.7\nReported by: \tKh\u1ea3i nguy\u1ec5n \u0110\u1eb7ng\nCVE identifier: \tCVE-2026-7277\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88087\nTracker issue: \tMDL-88087 CSRF risk in reset penalty rules functionality\n\n\n\nThe PHPUnit version in Moodle LMS 4.5 required updating to avoid an upstream Poisoned Pipeline Execution (PPE) risk.\nSeverity/Risk: \tMinor\nVersions affected: \t4.5 to 4.5.10\nVersions fixed: \t4.5.11\nReported by: \tHuong Nguyen\nCVE identifier: \tCVE-2026-24765\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88381\nTracker issue: \tMDL-88381 Upgrade PHPUnit version to avoid a security risk (upstream)\n\nA flaw in message handling of conversations with deleted users could result in active users losing access to their private messages.\nSeverity/Risk: \tMinor\nVersions affected: \t5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions\nVersions fixed: \t5.1.4, 5.0.7 and 4.5.11\nReported by: \tAdam Jenkins\nCVE identifier: \tCVE-2026-7276\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87760\nTracker issue: \tMDL-87760 Message panel breaks with messages from deleted users (messaging DoS risk)\n\n\n\nA remote code execution risk was identified in Moodle's Google Drive repository plugin.\nSeverity/Risk: \tSerious\nVersions affected: \t5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions\nVersions fixed: \t5.1.4, 5.0.7 and 4.5.11\nReported by: \tRojan Rijal\nWorkaround: \tDisable the Google Drive repository plugin until the patch has been applied.\nCVE identifier: \tCVE-2026-7275\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88423\nTracker issue: \tMDL-88423 RCE risk via Moodle's Google Drive repository plugin\n\n\n\n\nAn SQL injection risk was identified in the \"external database\" authentication plugin (auth_db). Note: This only affected sites with the auth_db authentication plugin enabled.\nSeverity/Risk: \tSerious\nVersions affected: \t5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions\nVersions fixed: \t5.1.4, 5.0.7 and 4.5.11\nReported by: \tMelvinsh\nCVE identifier: \tCVE-2026-7274\nChanges (main): \thttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88138\nTracker issue: \tMDL-88138 SQL injection risk in external database authentication plugin", "creation_timestamp": "2026-05-12T16:46:39.334754+00:00", "timestamp": "2026-05-12T16:46:39.334754+00:00", "related_vulnerabilities": ["CVE-2025-14761", "CVE-2026-7274", "CVE-2026-24765", "CVE-2026-7277", "CVE-2026-7275", "CVE-2026-7278", "CVE-2026-7276"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}