Moodle, Cross-site Scripting, CVE-2026-0302 (High)

Listen to this Post

The CVE-2026-0302 vulnerability in Moodle is a stored Cross-site Scripting (XSS) flaw located within the formula editor’s arithmetic expression fields. These fields are used for inputting mathematical expressions in various activities like quizzes or assignments. The vulnerability arises due to insufficient input sanitization and output encoding mechanisms in the affected Moodle versions. When a user, such as an instructor or student, submits data to these fields, the application fails to properly validate or escape JavaScript code embedded within the input. An attacker can inject malicious scripts by crafting arithmetic expressions that include HTML script tags or JavaScript event handlers. For example, an attacker could input a string like `` disguised as a formula. This malicious input is then stored in the Moodle database. When another user views the page where this expression is rendered, such as when reviewing a quiz question, the browser interprets and executes the injected script. The execution occurs within the victim’s session context, allowing the attacker to steal session cookies, impersonate the user, perform unauthorized actions, or deface the interface. The vulnerability leverages the trust placed in the Moodle platform and requires the attacker to have permissions to edit content in the formula editor, which may be granted to various roles. The core issue is in the PHP and JavaScript code handling user-supplied data before rendering it to HTML. Patched versions address this by implementing strict input validation and proper output encoding to neutralize dangerous content before display.
Platform: Moodle
Version: Multiple affected versions
Vulnerability: Cross-site Scripting
Severity: High
date: Feb 3 2026

Prediction: Patches available now

What Undercode Say:

Analytics:

!/bin/bash

Check Moodle version vulnerability

curl -s http://target.com/moodle/version.php | grep -o “Release [0-9.]”

Simulate XSS payload injection

echo ‘Malicious formula: ‘ > xss_payload.txt

how Exploit:

Inject script via formula editor fields, stored in database, executes when viewed by victims.

Protection from this CVE

Update to patched versions, implement input sanitization, use Content Security Policy.

Impact:

Session hijacking, data theft, unauthorized actions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top