CVE-2025-26529

HIGH

Moodle 4.1.0-4.1.15 and 4.5.0-beta-4.5.1 - Stored Cross-Site Scripting in Site Administration Live Log

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-26529. PoCs published by Astroo18, hxuu.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2025-26529, demonstrating an SSRF to XSS to RCE vulnerability chain in Moodle 4.4.5. It includes scripts for cookie theft, command execution, and file exfiltration.

Description

Description information displayed in the site administration live log required additional sanitizing to prevent a stored XSS risk.

Exploits (2)

nomisec WORKING POC 9 stars

by Astroo18 · poc

https://github.com/Astroo18/PoC-CVE-2025-26529

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-26529, demonstrating an SSRF to XSS to RCE vulnerability chain in Moodle 4.4.5. It includes scripts for cookie theft, command execution, and file exfiltration.

Classification

Working Poc 95%

Attack Type

Xss, Ssrf, Rce

Complexity

Moderate

Reliability

Reliable

Target: Moodle 4.4.5 (Build: 20241209)

No auth needed

Prerequisites: Access to a vulnerable Moodle instance · Ability to host malicious files on an attacker-controlled server

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by hxuu · poc

https://github.com/hxuu/moodle-cve

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2025-26529, targeting a Moodle-like web application. The exploit involves a bot that automates login and navigation to demonstrate an SSRF or authentication bypass vulnerability.

Classification

Working Poc 90%

Attack Type

Ssrf

Complexity

Moderate

Reliability

Reliable

Target: Custom Moodle-like web application

Auth required

Prerequisites: Access to the target URL · Valid admin credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://moodle.org/mod/forum/discuss.php?d=466145

Patch patch

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84145

Scores

CVSS v3 8.3

EPSS 0.0096

EPSS Percentile 77.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (2)

moodle/moodle 4.1.0 - 4.1.16

moodle/moodle 4.5.0-beta - 4.5.2Packagist

Published Feb 24, 2025

Tracked Since Feb 18, 2026