Moodle Formula Injection Vulnerability Allowing Arbitrary Formula Execution

Vulnerability

A formula injection vulnerability has been identified in Moodle. This issue arises when data fields are exported without adequate escaping, enabling remote attackers to inject malicious data. When the exported file is opened in a spreadsheet, the injected formulas can execute, potentially compromising data integrity and leading to unintended actions within the spreadsheet.

Impact

Exploitation of this vulnerability allows for arbitrary formula execution in spreadsheets, which can disrupt data integrity and cause unintended operations.

Added: Feb 3, 2026, 11:22 AM

Updated: Feb 3, 2026, 5:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.2

exploitability

4.6

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

0.2

exploitability

4.6

remediation

0.0

relevance

2.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Moodle Formula Injection Vulnerability Allowing Arbitrary Formula Execution

Vulnerability

Impact

Affected Products

Moodle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating