CVE-2026-26046 — Moodle: moodle: improper input sanitization in tex filter administration setting

Description

A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.

How to fix CVE-2026-26046

To remediate CVE-2026-26046, upgrade the affected package to a fixed version below.

—upgrade to 4.5.9 or later

Is CVE-2026-26046 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.5.9, >= 5.0.0, < 5.0.5, >= 5.1.0, < 5.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References (3)

WEBaccess.redhat.com/security/cve/CVE-2026-26046
WEBbugzilla.redhat.com/show_bug.cgi?id=2440903
WEBnvd.nist.gov/vuln/detail/CVE-2026-26046