After the May 7, 2026 Canvas LMS breach — roughly 275 million records exfiltrated from Instructure across thousands of institutions — boards and IT leaders are all asking one question: "Are our students' records safe?" With FERPA (US) and GDPR (EU) on the line, the answer isn't just a security question anymore — it's a compliance one. Pick your Moodle version below to find out where you stand.
Each Moodle release lifts its minimum PHP version. 4.4 needs PHP 8.1+, 5.0 needs PHP 8.2+. Skipping releases means coordinating multiple PHP migrations at once — and PHP 8.1 itself is end-of-life since Dec 2025.
02
Plugin compatibility
Most production Moodle sites run 10–30 community plugins. Moodle won't refuse to upgrade with incompatible plugins — they'll just break silently. Every plugin must be re-tested against the target version.
03
Database minimum bumps
5.0+ requires MySQL 8.4+, MariaDB 10.11+, or PostgreSQL 14+. Operators on MySQL 5.7 or older MariaDB hit a hard floor that has to be solved before the Moodle upgrade can even start.
Talk to a senior Moodle engineer
13+ years of LMS engineering across Moodle, Open edX, and Canvas LTI. Free 30-minute call — bring your audit results, no pitch.
Every advisory is sourced from the public NVD database (the same feed every CVE scanner consumes). CVE IDs, severity ratings (CVSS v3.1), publication dates, and affected version ranges are taken verbatim from NVD. Where the NVD reference includes a moodle.org forum permalink, we cross-link to the original Moodle Security Announcement so you can read the upstream context. Data was last reviewed on 2026-05-08.
Where do I find my Moodle version?
Log in as a site administrator and visit Site administration → Notifications, or browse to /admin/index.php on your Moodle URL. The version banner shows both the marketing version (e.g., 4.5.3+) and the build number. For our tool just enter the major.minor like '4.5'.
What's an LTS release and which one am I on?
Moodle's Long-Term Support releases get an extended security tail beyond the normal one-year general support window. Currently 4.5 is the active LTS (security patches until 2027-10-04). Previous LTS lines were 3.9 and 4.1; all now end-of-life. The next LTS will be 5.3 when it ships (planned 2026-10-05).
Why are non-LTS releases "Security only" within a year of release?
Moodle ships a non-LTS release roughly every six months. Each non-LTS release gets ~12 months of general support followed by ~6 months of security-only patches before going end-of-life. So a release that came out in April typically loses general support the following April. LTS releases break that pattern — they get a longer security tail.
Do you patch old Moodle releases?
Yes. Cubite has back-ported critical patches to 3.9, 4.1, 4.3, and 4.4 for clients who can't upgrade on a normal cadence (regulatory freezes, custom plugin coordination, vendor contracts, etc). On the consultation call we'll talk honestly about whether back-porting or upgrading is the right call for your situation.
What about plugins?
This tool tracks Moodle core CVEs only. The community plugin ecosystem is enormous and plugin CVEs publish through individual plugin maintainers, not Moodle HQ. During a consultation we audit your installed plugin list against current advisories and target-version compatibility. If the upgrade you need is from 4.1 → 4.5, plugin compat is usually the biggest blocker, not core.
What about Open edX or Canvas LTI?
Cubite covers all three. Open edX has its own free audit tool (linked above the form). Canvas LTI integration — embedding rich Moodle/Open edX-style content inside Canvas via LTI 1.3 — is one of our core service pillars. After the May 2026 Canvas breach, a lot of operators are rethinking their LMS posture, and the consultation covers that conversation.
Will you add new releases and CVEs?
Yes. Moodle ships a release roughly every six months and CVEs publish on the moodle.org/security/ feed quarterly. Adding a release or advisory in our tool is a one-record change.
Spotted a missing CVE or a wrong release date? Email us — accuracy matters more than coverage.