Skip to main content

Moodle 5.2.1

Release date: 8 June 2026

Here is the full list of fixed issues in 5.2.1.

General fixes and improvements

  • MDL-88637 - H5P content fails to load or navigate after Moodle 4.5.11 upgrade / h5plibraryhandler 1.28
  • MDL-88518 - H5P downloader task fails on new sites
  • MDL-88274 - Upgrade step cleanup_questions_without_categories takes too much time
  • MDL-88083 - Assign statistics and overview page should not count unenrolled users
  • MDL-88252 - Azure AI provider does not support "." character in some settings where it is valid
  • MDL-80321 - "Next page" is displayed if the student exits and resumes the lesson after a wrong answer, and "Maximum number of attempts per question" is set to "Unlimited"
  • MDL-72933 - Audio not visible in Lesson activity
  • MDL-66780 - Hiding a section makes it show, in specific circumstances
  • MDL-88718 - Thumbnail generation fails for .webp in Database activities (unsupported mime type)
  • MDL-88698 - BigBlueButton does not backup presentation file
  • MDL-88660 - Guest access enabled causes invalid redirect after self-enrolment using enrolment key
  • MDL-88592 - Cannot select current quiz in "Switch bank" interface
  • MDL-88539 - New login screen image is not full height when there is page scroll
  • MDL-88517 - BigBlueButton course copy/restore does not apply date offset to openingtime and closingtime
  • MDL-88512 - Calendar subscriptions attached to a category are not deleted when deleting the category
  • MDL-88479 - Initial spacing of paging preference selector incorrect in course overview block
  • MDL-88453 - Course single topic view does not return to topic when exiting a SCORM
  • MDL-88432 - Single quotes in search query return no results on MSSQL (non full-text fallback path)
  • MDL-88403 - Number custom field ad hoc recalculate task skips shared custom fields
  • MDL-88400 - Importing materials from a course with a long shortname does not work
  • MDL-88369 - In the "Recycle bin" view of the course categories, course names should be filtered
  • MDL-88314 - OpenAI API provider's generate text fails when think tags are present
  • MDL-88162 - Allow the course_delete_modules task to retry as there can be intermittent failures
  • MDL-88137 - MFA remaining attempts becomes negative after lockout threshold is reached and page is refreshed
  • MDL-88133 - Server file repository double encodes file listing when browsing repositories
  • MDL-87983 - Hidden course categories with calendar subscriptions make calendar subscription management unusable
  • MDL-87958 - Special characters are not correctly displayed for group and course names in group messages
  • MDL-87930 - Restricted subsections with eye closed are displayed in the Navigation block
  • MDL-87896 - Upgrade key validation does not inform user if they got it wrong
  • MDL-87555 - Enrolment expiry action "Unenrol user from course" in enrol_fee suspends the user instead of unenrolling them
  • MDL-87497 - YUI datepicker language and display issue
  • MDL-87459 - Feedback name in the Feedback notification email subject should have filtering applied
  • MDL-87398 - Assignment cut-off date disclosed on late submission notifications
  • MDL-87291 - "Clear all" does not clear the records or search filters used in the Database activity search feature
  • MDL-86816 - Quiz notifications sent to all students regardless of activity restrictions
  • MDL-86169 - Cannot re-enable enrolments suspended by IMS enterprise enrolment
  • MDL-83815 - Unable to remove Forum rating or set to none
  • MDL-83091 - Race condition with cached CSS and caching proxies
  • MDL-68682 - Lesson short answer question fields are not displayed inline

Accessibility fixes and improvements

  • MDL-88401 - AI: Accessibility-Labels for Copy buttons and Regenerate not sufficiently descriptive
  • MDL-88342 - Duplicate empty icon links in the question banks page
  • MDL-88242 - "core/search_input_auto" can cause duplicate search landmark issues
  • MDL-87219 - Dimmed activity in course index even when restriction is fulfilled

Security improvements

  • MDL-88605 - Updating users' calendar preferences reads/writes values for wrong user
  • MDL-88586 - RSS client confuses assignment/comparison operator in context checks
  • MDL-83526 - Session Token Missing SameSite Attribute

Security fixes

  • MSA-26-0012 - Arbitrary file read risk in Database activity module
  • MSA-26-0013 - Email-based MFA bypass
  • MSA-26-0014 - Arbitrary file read risk in backup restore
  • MSA-26-0015 - RCE risk via admin presets import
  • MSA-26-0016 - Missing group access checks in grade web services
  • MSA-26-0017 - IDOR allows arbitrary comment deletion
  • MSA-26-0018 - CSRF risk in user homepage preference setting
  • MSA-26-0019 - CSRF risk in user profile page reset
  • MSA-26-0020 - Reflected XSS via Feedback import error message
  • MSA-26-0021 - CSRF and XSS in grade item idnumber editing
  • MSA-26-0022 - CSRF risk in group messaging state toggle
  • MSA-26-0023 - CSRF risk when adding quiz section headings
  • MSA-26-0024 - Missing capability checks in AI placement web services
  • MSA-26-0025 - CSRF risk in quiz attempt regrading
  • MSA-26-0026 - Missing capability check in Assignment marker allocation
  • MSA-26-0027 - Blind SSRF risk in MNet peers function
  • MSA-26-0028 - DoS risk via user profile description
  • MSA-26-0029 - Missing capability checks in report builder fragment callbacks