CVE-2026-26046 is an OS command injection vulnerability identified in the Moodle TeX filter administrative setting. The root cause is insufficient sanitization of configuration input fields, which allows specially crafted input by an administrator to be interpreted as system commands. This vulnerability manifests when the TeX filter is enabled and ImageMagick is installed on the server, as the filter interacts with ImageMagick for rendering TeX content. An attacker with administrative privileges can exploit this flaw by entering malicious configuration values, leading to arbitrary command execution on the underlying operating system. The vulnerability affects Moodle versions 0, 5.0.0, and 5.1.0. The CVSS v3.1 score is 7.2, indicating high severity, with attack vector as network, low attack complexity, requiring high privileges but no user interaction. Successful exploitation compromises confidentiality, integrity, and availability of the Moodle server, potentially allowing full system takeover. No public exploits are known at this time, but the vulnerability poses a significant risk to Moodle deployments that have not applied patches or mitigations. The flaw underscores the importance of rigorous input validation and secure configuration management in web applications, especially those with administrative interfaces.

The impact of CVE-2026-26046 is substantial for organizations using affected Moodle versions with the TeX filter enabled and ImageMagick installed. An attacker with administrative access can execute arbitrary OS commands, potentially leading to full server compromise. This can result in unauthorized data access, data modification or deletion, disruption of Moodle services, and use of the compromised server as a pivot point for further attacks within the network. Educational institutions, online learning platforms, and enterprises relying on Moodle for critical operations could face significant operational disruption and data breaches. The requirement for administrative privileges limits the attack surface but does not eliminate risk, as insider threats or compromised admin accounts could be leveraged. The vulnerability could also damage organizational reputation and lead to compliance violations if sensitive student or user data is exposed.

To mitigate CVE-2026-26046, organizations should immediately update Moodle to a patched version once available. In the absence of patches, administrators should disable the TeX filter if not essential or remove ImageMagick from the server to break the exploitation chain. Strictly limit administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication. Regularly audit administrative configurations for suspicious or unexpected entries. Employ application-layer firewalls or intrusion detection systems to monitor and block anomalous command execution attempts. Additionally, implement strict input validation and sanitization controls in custom Moodle plugins or configurations. Regular backups and incident response plans should be in place to recover from potential compromises. Monitoring logs for unusual administrative activity can help detect exploitation attempts early.