Home

Description

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.

PUBLISHED Reserved 2026-02-10 | Published 2026-02-21 | Updated 2026-02-24 | Assigner fedora




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 4.5.9
affected

5.0.0 (semver) before 5.0.5
affected

5.1.0 (semver) before 5.1.2
affected

Timeline

2026-02-19:Reported to Red Hat.
2026-02-19:Made public.

Credits

Red Hat would like to thank Vicevirus for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-26046 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2440903 (RHBZ#2440903) issue-tracking

cve.org (CVE-2026-26046)

nvd.nist.gov (CVE-2026-26046)

Download JSON