CVE-2025-67850 is a Cross-Site Scripting (XSS) vulnerability identified in Moodle, a widely used open-source learning management system. The flaw exists in the formula editor's arithmetic expression fields, where user input is insufficiently sanitized or neutralized before being embedded into web pages. This improper neutralization allows a remote attacker with at least limited privileges (PR:L) to inject malicious JavaScript code into these fields. When other users view the affected expressions, the malicious script executes within their browsers under the context of the Moodle site, enabling attacks such as session hijacking, credential theft, or unauthorized actions on behalf of the victim user. The vulnerability requires user interaction (UI:R), meaning the victim must view the malicious content for exploitation to occur. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N) indicates network attack vector, low attack complexity, some privileges required, user interaction needed, unchanged scope, and high impact on confidentiality and integrity, but no impact on availability. Affected Moodle versions include 4.1.0, 4.4.0, 4.5.0, 5.0.0, and 5.1.0. As of the published date, no known exploits are reported in the wild, but the vulnerability poses a significant risk due to Moodle's extensive deployment in educational institutions and organizations globally. The flaw stems from inadequate input validation and output encoding in the formula editor, a component often used in educational content creation. Attackers could leverage this to compromise user accounts or steal sensitive data. The vulnerability was reserved in December 2025 and published in February 2026, with no official patches linked yet, emphasizing the need for proactive mitigation.

For European organizations, especially educational institutions, public sector bodies, and enterprises using Moodle for training and collaboration, this vulnerability presents a significant risk. Successful exploitation can lead to unauthorized disclosure of sensitive information, including personal data of students and staff, violating GDPR requirements. It can also enable attackers to perform actions on behalf of users, potentially leading to privilege escalation or data manipulation. The widespread use of Moodle across Europe in universities, schools, and government training programs means a large attack surface. Disruption of trust in e-learning platforms and potential regulatory penalties for data breaches are additional concerns. The vulnerability does not impact availability directly but threatens confidentiality and integrity, which are critical for compliance and operational security. Given the user interaction requirement, phishing or social engineering could be used to increase exploitation success. The lack of known exploits currently provides a window for mitigation before active attacks emerge.

1. Monitor Moodle vendor communications closely and apply official patches immediately upon release. 2. Until patches are available, restrict access to the formula editor to trusted users only, minimizing exposure. 3. Implement web application firewall (WAF) rules to detect and block suspicious script injections targeting formula editor inputs. 4. Conduct thorough input validation and output encoding on all user-supplied data in custom Moodle deployments or plugins, especially in formula editor components. 5. Educate users about the risks of clicking on untrusted links or viewing suspicious content within Moodle. 6. Regularly audit user-generated content in formula fields for anomalous or suspicious scripts. 7. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 8. Review and tighten Moodle user privilege assignments to enforce least privilege principles. 9. Use security scanning tools to detect XSS vulnerabilities in Moodle instances proactively. 10. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises.