Insufficient CSRF token and capability checks were applied to an MNet admin setting. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Vincent Schneider CVE identifier: CVE-2026-7278 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-84495 Tracker issue: MDL-84495 CSRF and missing capability check in admin/mnet/peers.php

The upstream AWS SDK for PHP library was upgraded, which included a security fix. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Michael Hawkins CVE identifier: CVE-2025-14761 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87598 Tracker issue: MDL-87598 Upgrade AWS SDK for PHP including security fix (upstream)

The grade penalty rules reset function did not include the necessary token to prevent a CSRF risk. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3 and 5.0 to 5.0.6 Versions fixed: 5.1.4 and 5.0.7 Reported by: Khải nguyễn Đặng CVE identifier: CVE-2026-7277 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88087 Tracker issue: MDL-88087 CSRF risk in reset penalty rules functionality

The PHPUnit version in Moodle LMS 4.5 required updating to avoid an upstream Poisoned Pipeline Execution (PPE) risk. Severity/Risk: Minor Versions affected: 4.5 to 4.5.10 Versions fixed: 4.5.11 Reported by: Huong Nguyen CVE identifier: CVE-2026-24765 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88381 Tracker issue: MDL-88381 Upgrade PHPUnit version to avoid a security risk (upstream)

A flaw in message handling of conversations with deleted users could result in active users losing access to their private messages. Severity/Risk: Minor Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Adam Jenkins CVE identifier: CVE-2026-7276 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-87760 Tracker issue: MDL-87760 Message panel breaks with messages from deleted users (messaging DoS risk)

A remote code execution risk was identified in Moodle's Google Drive repository plugin. Severity/Risk: Serious Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Rojan Rijal Workaround: Disable the Google Drive repository plugin until the patch has been applied. CVE identifier: CVE-2026-7275 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88423 Tracker issue: MDL-88423 RCE risk via Moodle's Google Drive repository plugin

An SQL injection risk was identified in the "external database" authentication plugin (auth_db). Note: This only affected sites with the auth_db authentication plugin enabled. Severity/Risk: Serious Versions affected: 5.1 to 5.1.3, 5.0 to 5.0.6, 4.5 to 4.5.10 and earlier unsupported versions Versions fixed: 5.1.4, 5.0.7 and 4.5.11 Reported by: Melvinsh CVE identifier: CVE-2026-7274 Changes (main): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-88138 Tracker issue: MDL-88138 SQL injection risk in external database authentication plugin