CVE-2025-26525 — Moodle has an arbitrary file read risk through pdfTeX

Description

Insufficient sanitizing in the TeX notation filter resulted in an arbitrary file read risk on sites where pdfTeX is available (such as those with TeX Live installed).

How to fix CVE-2025-26525

To remediate CVE-2025-26525, upgrade the affected package to a fixed version below.

Bitnami/moodle—upgrade to 4.1.16 or later
—upgrade to 4.5.2 or later

Is CVE-2025-26525 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 4.1.0, < 4.1.16, >= 4.3.0, < 4.3.10, >= 4.4.0, < 4.4.6, >= 4.5.0, < 4.5.2
>= 4.5.0-beta, < 4.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-26525
PATCHgithub.com/moodle/moodle
WEBgit.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84136
WEBmoodle.org/mod/forum/discuss.php?d=466141