Home

Description

A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet.

PUBLISHED Reserved 2025-12-12 | Published 2026-02-03 | Updated 2026-02-03 | Assigner fedora




MEDIUM: 6.1CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

Problem types

Improper Neutralization of Formula Elements in a CSV File

Product status

Default status
unaffected

4.1.0 (semver) before 4.1.22
affected

4.4.0 (semver) before 4.4.12
affected

4.5.0 (semver) before 4.5.8
affected

5.0.0 (semver) before 5.0.4
affected

5.1.0 (semver) before 5.1.1
affected

Timeline

2025-12-19:Reported to Red Hat.
2025-12-15:Made public.

Credits

Red Hat would like to thank Brendan Heywood for reporting this issue.

References

access.redhat.com/security/cve/CVE-2025-67851 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2423841 (RHBZ#2423841) issue-tracking

moodle.org/mod/forum/discuss.php?d=471301

cve.org (CVE-2025-67851)

nvd.nist.gov (CVE-2025-67851)

Download JSON