CVE-2025-26527: 
PHP vulnerability analysis and mitigation

CVE-2025-26527 is a security vulnerability discovered in Moodle, where tags not expected to be visible to a user could still be discovered via the tag search page or in the tags block. The vulnerability was discovered by Marina Glancy and disclosed on February 24, 2025. The affected versions include Moodle 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15, and earlier unsupported versions (Moodle Forum).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The issue is classified under CWE-1230 (Exposure of Sensitive Information Through Metadata). The vulnerability allows unauthorized access to tags that were intended to be hidden from users through the tag search page and tags block functionality (NVD).

The vulnerability exposes sensitive information by allowing users to discover tags that were intended to be hidden from them. This could potentially lead to unauthorized access to metadata and information categorization that was meant to be restricted (Debian Tracker).

The vulnerability has been fixed in Moodle versions 4.5.2, 4.4.6, 4.3.10, and 4.1.16. Users are advised to upgrade to these patched versions to mitigate the vulnerability. The fix can be tracked through the Moodle git repository with the reference MDL-83941 (Moodle Forum).