CVE-2025-26532: Teachers can evade trusttext config when restoring glossary entries

3.1 CVSS

Description

Additional checks were required to ensure trusttext is applied (when enabled) to glossary entries being restored.

Classification

CVE ID: CVE-2025-26532

CVSS Base Severity: LOW

CVSS Base Score: 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem Types

CWE-863 Incorrect Authorization

Affected Products

Vendor: Moodle Project

Product: moodle

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 4.39% (scored less or equal to compared to others)

EPSS Date: 2025-03-25 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26532
https://moodle.org/mod/forum/discuss.php?d=466149
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84003

Timeline