Cross-Course Information Disclosure and Data Tampering in Moodle Plugin
CVE-2026-30884

9.6CRITICAL

Key Information:

Vendor

Mdjnelson

Status
Moodle-mod Customcert
Vendor
CVE Published:
18 March 2026

What is CVE-2026-30884?

A flaw in the Moodle mod_customcert plugin allows teachers with manage permissions to read and overwrite certificate elements across different courses within the same Moodle instance. This vulnerability arises from insufficient checks on the elementid parameter during certain interactions, namely the core_get_fragment callback and the mod_customcert_save_element web service. Consequently, unauthorized users can view and manipulate sensitive data, including certificate configurations, potentially compromising academic integrity.

Affected Version(s)

moodle-mod_customcert < 4.4.9 < 4.4.9

moodle-mod_customcert >= 5.0.0, < 5.0.3 < 5.0.0, 5.0.3

References

https://github.com/mdjnelson/moodle-mod_customcert/securi...
x_refsource_CONFIRM
https://github.com/mdjnelson/moodle-mod_customcert/commit...
x_refsource_MISC
https://github.com/mdjnelson/moodle-mod_customcert/commit...
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.