{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26047", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2026-02-10T13:30:03.986Z", "datePublished": "2026-02-21T05:40:11.001Z", "dateUpdated": "2026-02-23T19:30:25.686Z"}, "containers": {"cna": {"title": "Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability was identified in Moodle\u2019s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.5.9", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.5", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.1.2", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-26047", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440905", "name": "RHBZ#2440905", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-02-19T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption", "timeline": [{"lang": "en", "time": "2026-02-19T08:55:57.177Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-02-19T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Aleksey Solovev (Positive Technologies) for reporting this issue."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2026-02-21T05:40:11.001Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T19:29:50.672029Z", "id": "CVE-2026-26047", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:30:25.686Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26047", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T19:29:50.672029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T19:30:17.476Z"}}], "cna": {"title": "Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service", "credits": [{"lang": "en", "value": "Red Hat would like to thank Aleksey Solovev (Positive Technologies) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.5.9", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.5", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.1.2", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-19T08:55:57.177Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-02-19T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-02-19T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-26047", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440905", "name": "RHBZ#2440905", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability was identified in Moodle\u2019s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2026-02-21T05:40:11.001Z"}, "x_redhatCweChain": "CWE-400: Uncontrolled Resource Consumption"}}, "cveMetadata": {"cveId": "CVE-2026-26047", "state": "PUBLISHED", "dateUpdated": "2026-02-23T19:30:25.686Z", "dateReserved": "2026-02-10T13:30:03.986Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2026-02-21T05:40:11.001Z", "assignerShortName": "fedora"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "80B1995C-45EB-41E5-A497-D565964750A1", "versionEndExcluding": "4.5.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "8CDB0968-2E2B-4C2F-BF59-9479D1EEC287", "versionEndExcluding": "5.0.5", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "36833D08-9C77-48B1-9240-7F326F5BB1CC", "versionEndExcluding": "5.1.2", "versionStartIncluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability was identified in Moodle\u2019s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de denegaci\u00f3n de servicio en el editor de f\u00f3rmulas TeX de Moodle. Al renderizar contenido TeX usando mimetex, si los l\u00edmites de tiempo de ejecuci\u00f3n son insuficientes, podr\u00edan permitir que f\u00f3rmulas especialmente dise\u00f1adas consuman excesivos recursos del servidor. Un usuario autenticado podr\u00eda abusar de este comportamiento para degradar el rendimiento o causar interrupci\u00f3n del servicio."}], "id": "CVE-2026-26047", "lastModified": "2026-02-26T19:45:29.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "patrick@puiterwijk.org", "type": "Secondary"}]}, "published": "2026-02-21T06:17:00.377", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-26047"}, {"source": "patrick@puiterwijk.org", "tags": ["Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440905"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "moodle", "vendor": "moodle"}], "analysis": {"en": {"generated_at": "2026-04-17T16:52:26.546177+00:00", "value": {"mitigation_remediation": ["Apply the latest Moodle security patch or upgrade to a secure release that addresses the TeX rendering resource limits.", "Configure the mimetex engine or TeX rendering subsystem to enforce strict execution time and memory limits, such as setting maximum CPU time or memory usage thresholds.", "Restrict TeX editor access so that only trusted or administrative users can create formulas, reducing the attack surface for unprivileged users."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Moodle, as indicated by the CPE string and the vendor/product naming. The description does not specify particular release numbers, so all publicly available Moodle versions that include the TeX formula editor are potentially impacted. Administrators should verify which Moodle release they run and compare it against the vendor\u2019s security advisories for patches.", "description_and_impact": "The vulnerability resides in Moodle\u2019s TeX formula editor. When a user renders TeX content using the mimetex engine, the system does not enforce strict execution time limits. An attacker can supply specially crafted formulas that consume an excessive amount of CPU and memory, ultimately exhausting server resources and halting normal operation. This flaw permits a logged\u2011in user to degrade performance or to trigger a service outage, effectively achieving a denial\u2011of\u2011service condition. The weakness reflects uncontrolled resource consumption (CWE\u2011400) and excessive allocation of resources (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 6.5 denotes a moderate severity vulnerability. The EPSS score of less than 1% indicates that exploitation is currently considered unlikely, yet the vulnerability is exploitable by any authenticated user. Attackers would need an active session with write permissions to the TeX editor and would craft a formula designed to flood CPU or memory. No proof\u2011of\u2011concept code is publicly available, and the issue has not been listed in CISA\u2019s KEV catalog, suggesting no widespread, actively exploited weaponization to date. Nevertheless, administrators should treat this as a risk for service continuity."}}}}, "created": "2026-02-23T14:32:35.554363+00:00", "updated": "2026-04-17T17:00:10.182810+00:00", "vendors": ["moodle", "moodle$PRODUCT$moodle"]}