CVE-2026-26047 is a denial-of-service (DoS) vulnerability found in Moodle's TeX formula editor component, specifically when rendering TeX content via the mimetex tool. The root cause is insufficient enforcement of execution time limits during the processing of TeX formulas. An authenticated user can submit specially crafted TeX formulas that require excessive computational resources to render, leading to uncontrolled resource consumption on the server. This can result in degraded performance or complete service interruption of the Moodle platform. The vulnerability affects Moodle versions 0, 5.0.0, and 5.1.0. The attack vector requires authentication but no additional user interaction, making it easier for insiders or registered users to exploit. The CVSS v3.1 base score is 6.5, reflecting a medium severity with a high impact on availability (denial of service), no impact on confidentiality or integrity, low attack complexity, and no user interaction required. No public exploits have been reported yet, but the vulnerability poses a risk to Moodle deployments, especially in educational environments where TeX formulas are frequently used. The vulnerability was published on February 21, 2026, and no official patches or mitigations were linked at the time of reporting.

The primary impact of CVE-2026-26047 is denial of service, which can severely disrupt Moodle-based learning management systems. Organizations relying on Moodle for educational delivery, assessments, or collaboration may experience degraded system responsiveness or complete outages, affecting students, educators, and administrative staff. This can lead to loss of instructional time, reduced productivity, and reputational damage. Since the vulnerability requires authenticated access, the risk is higher from malicious insiders or compromised user accounts. The lack of impact on confidentiality and integrity limits data breach concerns, but availability disruption in critical educational environments can have significant operational consequences. The vulnerability could also be leveraged in targeted attacks to disrupt specific institutions or regions, especially during peak usage periods such as exams or course deadlines.

To mitigate CVE-2026-26047, organizations should first apply any available patches or updates from Moodle that address the TeX formula rendering issue. If patches are not yet available, administrators should consider disabling the TeX formula editor or restricting its use to trusted users only. Implementing resource usage limits at the server or application level, such as CPU timeouts or memory caps for mimetex processes, can help prevent excessive resource consumption. Monitoring and alerting on unusual TeX rendering activity or spikes in server resource usage can provide early detection of exploitation attempts. Additionally, enforcing strong authentication and account monitoring reduces the risk of malicious insiders exploiting this vulnerability. Educating users about responsible use of formula editors and auditing submitted formulas may also help mitigate risk until a permanent fix is deployed.