EIP-2026-109578
PRE-CVEMoodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter
Title source: legacyExploitation Summary
EIP tracks 1 public exploit for EIP-2026-109578. PoCs published by Julio Ángel Ferrari.
AI-analyzed exploit summary This exploit demonstrates a time-based blind SQL injection vulnerability in Moodle 3.10.1 via the 'sort' parameter. It extracts database information, usernames, and passwords by leveraging delayed responses to infer character matches.
Description
Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter
Exploits (1)
exploitdb
WORKING POC
by Julio Ángel Ferrari · pythonwebappsphp
https://www.exploit-db.com/exploits/51984
This exploit demonstrates a time-based blind SQL injection vulnerability in Moodle 3.10.1 via the 'sort' parameter. It extracts database information, usernames, and passwords by leveraging delayed responses to infer character matches.
Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target:
Moodle 3.10.1
Auth required
Prerequisites:
Authenticated session with valid MoodleSession cookie · Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026
Full analysis →
Details
Status
pre_cve
Tracked Since
Feb 18, 2026