CVE-2025-26533: 
PHP vulnerability analysis and mitigation

An SQL injection vulnerability (CVE-2025-26533) was identified in the module list filter within Moodle's course search functionality. The vulnerability was discovered on February 24, 2025, affecting Moodle versions 4.5 to 4.5.1, 4.4 to 4.4.5, 4.3 to 4.3.9, 4.1 to 4.1.15, and earlier unsupported versions. The issue was reported by Lars Bonczek (Moodle Forum).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), commonly known as SQL Injection. The CVSS v3.1 base score is 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk that requires no privileges or user interaction to exploit (NVD).

The SQL injection vulnerability could potentially allow attackers to execute unauthorized database queries, potentially leading to data breach, data manipulation, or unauthorized access to sensitive information within the Moodle platform (NVD).

Fixed versions have been released: Moodle 4.5.2, 4.4.6, 4.3.10, and 4.1.16. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Moodle Forum).

The vulnerability has been assigned a Medium priority by Ubuntu and is under evaluation for various Linux distributions. Red Hat has determined that this vulnerability does not affect any of their currently supported products (Ubuntu, Red Hat).