Hello everyone,
The following versions of Totara have now been released:
- Release 20.1.1
- Release 20.0.5
- Release 19.1.11
- Release 19.0.17
- Release 18.30
- Release 17.43
- Release 16.49
- Release 15.54
- Release 14.57
- Release 13.65
- Release 12.80
- Release 11.80
- Release 10.81
- Release 9.86
These versions do contain security fixes, and for this reason we strongly recommend upgrade.
Each release also includes various bug fixes and improvements.
Kind regards
Release Team
A big thanks to the following people for their contributions to this release:
- * Stefan Hanauska at Moodle - TL-47403 - Stefan Hanauska at Moodle
Release 20.1.1 (28th May 2026)
Security issues:
TL-47403 Fixed a potential bypass on role check (CVE-2025-67856)
TL-48469 Fixed self-XSS in Atto
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
TL-48837 Reverted a security fix related to user file uploads which limited attachments in Engage resources
Performance improvements:
TL-47760 Improved performance of scheduled notifications task
TL-48030 Fixed a case where a failed scheduled report reruns excessively, blocking the scheduled task
Bug fixes:
TL-38381 Removed unnecessary H5P install text
TL-42336 Fixed performance issues in record of learning report for programs
TL-43904 Site branding no longer overrides custom tenant branding
TL-47401 Fixed a race condition in parent/child competency aggregation
TL-48071 Fixed H5P activity names to work with multi-lang filters
TL-48135 Fixed hidden or disabled activities not being shown in the course completion editor
TL-48217 Fixed an issue when applying the date content filter to the tasks and alerts report source
TL-48300 Fixed webhook endpoint URL saving to not encode the endpoint
TL-48302 Fixed performance for Resources Engagement report source
TL-48305 Ensured launch course buttons displays correctly for programs and certifications in learner view
TL-48403 Ensured program and certification short names support multi-lang properly
TL-48421 Fixed a bug with config variables overriding settings on the settings pages
TL-48465 Fixed a UX issue where dropdown was overlapping on label
TL-48468 Fixed an issue where background report exports did not release the lock created in entrypoint
TL-48470 Improved the cleanup of report builder cache tables when the report is deleted
TL-48500 Security report for path checking will warn if it encounters a 401 instead of the expected 404
TL-48508 Hiding the notification preference cog if the user does not have the appropriate capability
TL-48528 Fixed an issue where scripting_id is not found in the stage
TL-48530 Fixed an issue where purging LTI submission data could remove an LTI activity’s grade item and cause course and completion views to throw exceptions for other enrolled users.
TL-48541 Fixed doc block for is_user_access_prevented() in accesslib
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
TL-48790 Added logstore event for when audience visibility changed
TL-48791 Added logstore event while creating cohort role bindings
TL-48792 Added logstore event while deleting cohort role bindings
TL-48793 Added logstore event for cohort role assignment sync
TL-48795 Added logstore events when course categories are deleted
TL-48797 Added logstore event for when course completion is deleted
TL-48798 Added logstore event for when course completion history deleted
TL-48824 Fixed toolbar and sidebar filters in the program completions tab
TL-48840 Fixed oEmbed reader retrieving incorrect video dimension
TL-48856 Fixed a bug where the user CSV upload was not accepting dates in the csvdateformat configured format
TL-38833 Visually emphasised the end of progress bars with an optional dot indicator
TL-45679 Applied word wrapping to calendar date cells
TL-48203 Fixed wrong heading and multilang support in grades overview report
TL-48211 Improved accessibility for catalogue card details content with scroll bars
Library updates:
TL-48504 Upgraded PHPUnit to latest version to fix a security problem (CVE-2026-24765)
TL-48649 Upgraded robrichards/xmlseclibs to 3.1.5 (CVE-2026-32313)
Contributions:
* Stefan Hanauska at Moodle - TL-47403
Release 20.0.5 (28th May 2026)
Security issues:
TL-47403 Fixed a potential bypass on role check (CVE-2025-67856)
TL-48469 Fixed self-XSS in Atto
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
TL-48837 Reverted a security fix related to user file uploads which limited attachments in Engage resources
Performance improvements:
TL-47760 Improved performance of scheduled notifications task
TL-48030 Fixed a case where a failed scheduled report reruns excessively, blocking the scheduled task
Bug fixes:
TL-38381 Removed unnecessary H5P install text
TL-42336 Fixed performance issues in record of learning report for programs
TL-43904 Site branding no longer overrides custom tenant branding
TL-47401 Fixed a race condition in parent/child competency aggregation
TL-48071 Fixed H5P activity names to work with multi-lang filters
TL-48135 Fixed hidden or disabled activities not being shown in the course completion editor
TL-48217 Fixed an issue when applying the date content filter to the tasks and alerts report source
TL-48300 Fixed webhook endpoint URL saving to not encode the endpoint
TL-48302 Fixed performance for Resources Engagement report source
TL-48305 Ensured launch course buttons displays correctly for programs and certifications in learner view
TL-48403 Ensured program and certification short names support multi-lang properly
TL-48421 Fixed a bug with config variables overriding settings on the settings pages
TL-48465 Fixed a UX issue where dropdown was overlapping on label
TL-48468 Fixed an issue where background report exports did not release the lock created in entrypoint
TL-48470 Improved the cleanup of report builder cache tables when the report is deleted
TL-48500 Security report for path checking will warn if it encounters a 401 instead of the expected 404
TL-48508 Hiding the notification preference cog if the user does not have the appropriate capability
TL-48528 Fixed an issue where scripting_id is not found in the stage
TL-48530 Fixed an issue where purging LTI submission data could remove an LTI activity’s grade item and cause course and completion views to throw exceptions for other enrolled users.
TL-48541 Fixed doc block for is_user_access_prevented() in accesslib
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
TL-48790 Added logstore event for when audience visibility changed
TL-48791 Added logstore event while creating cohort role bindings
TL-48792 Added logstore event while deleting cohort role bindings
TL-48793 Added logstore event for cohort role assignment sync
TL-48795 Added logstore events when course categories are deleted
TL-48797 Added logstore event for when course completion is deleted
TL-48798 Added logstore event for when course completion history deleted
TL-48824 Fixed toolbar and sidebar filters in the program completions tab
TL-48840 Fixed oEmbed reader retrieving incorrect video dimension
TL-48856 Fixed a bug where the user CSV upload was not accepting dates in the csvdateformat configured format
TL-38833 Visually emphasised the end of progress bars with an optional dot indicator
TL-45679 Applied word wrapping to calendar date cells
TL-48203 Fixed wrong heading and multilang support in grades overview report
TL-48211 Improved accessibility for catalogue card details content with scroll bars
TL-48258 Added missing scope on program assignment headers and fixed table structure on seminar session events
Library updates:
TL-48504 Upgraded PHPUnit to latest version to fix a security problem (CVE-2026-24765)
TL-48649 Upgraded robrichards/xmlseclibs to 3.1.5 (CVE-2026-32313)
Contributions:
* Stefan Hanauska at Moodle - TL-47403
Release 19.1.11 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Performance improvements:
TL-48030 Fixed a case where a failed scheduled report reruns excessively, blocking the scheduled task
Bug fixes:
TL-38381 Removed unnecessary H5P install text
TL-48302 Fixed performance for Resources Engagement report source
TL-48421 Fixed a bug with config variables overriding settings on the settings pages
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
TL-48840 Fixed oEmbed reader retrieving incorrect video dimension
TL-48203 Fixed wrong heading and multilang support in grades overview report
Release 19.0.17 (28th May 2026)
Security issues:
TL-47403 Fixed a potential bypass on role check (CVE-2025-67856)
TL-48469 Fixed self-XSS in Atto
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
TL-48837 Reverted a security fix related to user file uploads which limited attachments in Engage resources
Performance improvements:
TL-48030 Fixed a case where a failed scheduled report reruns excessively, blocking the scheduled task
Bug fixes:
TL-38381 Removed unnecessary H5P install text
TL-42336 Fixed performance issues in record of learning report for programs
TL-43904 Site branding no longer overrides custom tenant branding
TL-47401 Fixed a race condition in parent/child competency aggregation
TL-48135 Fixed hidden or disabled activities not being shown in the course completion editor
TL-48217 Fixed an issue when applying the date content filter to the tasks and alerts report source
TL-48302 Fixed performance for Resources Engagement report source
TL-48421 Fixed a bug with config variables overriding settings on the settings pages
TL-48470 Improved the cleanup of report builder cache tables when the report is deleted
TL-48473 Added missing activity_id parameter value to the Performance Activity Response Data export query
TL-48530 Fixed an issue where purging LTI submission data could remove an LTI activity’s grade item and cause course and completion views to throw exceptions for other enrolled users.
TL-48541 Fixed doc block for is_user_access_prevented() in accesslib
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
TL-48790 Added logstore event for when audience visibility changed
TL-48791 Added logstore event while creating cohort role bindings
TL-48792 Added logstore event while deleting cohort role bindings
TL-48793 Added logstore event for cohort role assignment sync
TL-48795 Added logstore events when course categories are deleted
TL-48797 Added logstore event for when course completion is deleted
TL-48798 Added logstore event for when course completion history deleted
TL-48840 Fixed oEmbed reader retrieving incorrect video dimension
TL-38833 Visually emphasised the end of progress bars with an optional dot indicator
TL-45679 Applied word wrapping to calendar date cells
TL-48203 Fixed wrong heading and multilang support in grades overview report
Library updates:
TL-48504 Upgraded PHPUnit to latest version to fix a security problem (CVE-2026-24765)
TL-48649 Upgraded robrichards/xmlseclibs to 3.1.5 (CVE-2026-32313)
Contributions:
* Stefan Hanauska at Moodle - TL-47403
Release 18.30 (28th May 2026)
Security issues:
TL-47403 Fixed a potential bypass on role check (CVE-2025-67856)
TL-48469 Fixed self-XSS in Atto
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
TL-48837 Reverted a security fix related to user file uploads which limited attachments in Engage resources
Performance improvements:
TL-48030 Fixed a case where a failed scheduled report reruns excessively, blocking the scheduled task
Bug fixes:
TL-38381 Removed unnecessary H5P install text
TL-48135 Fixed hidden or disabled activities not being shown in the course completion editor
TL-48217 Fixed an issue when applying the date content filter to the tasks and alerts report source
TL-48421 Fixed a bug with config variables overriding settings on the settings pages
TL-48470 Improved the cleanup of report builder cache tables when the report is deleted
TL-48473 Added missing activity_id parameter value to the Performance Activity Response Data export query
TL-48530 Fixed an issue where purging LTI submission data could remove an LTI activity’s grade item and cause course and completion views to throw exceptions for other enrolled users.
TL-48541 Fixed doc block for is_user_access_prevented() in accesslib
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
TL-48840 Fixed oEmbed reader retrieving incorrect video dimension
TL-48203 Fixed wrong heading and multilang support in grades overview report
Library updates:
TL-48504 Upgraded PHPUnit to latest version to fix a security problem (CVE-2026-24765)
TL-48649 Upgraded robrichards/xmlseclibs to 3.1.5 (CVE-2026-32313)
Contributions:
* Stefan Hanauska at Moodle - TL-47403
Release 17.43 (28th May 2026)
Security issues:
TL-47403 Fixed a potential bypass on role check (CVE-2025-67856)
TL-48469 Fixed self-XSS in Atto
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
TL-48837 Reverted a security fix related to user file uploads which limited attachments in Engage resources
Bug fixes:
TL-48217 Fixed an issue when applying the date content filter to the tasks and alerts report source
TL-48442 Stopped notifications from being triggered for unavailable programs and certifications
TL-48470 Improved the cleanup of report builder cache tables when the report is deleted
TL-48530 Fixed an issue where purging LTI submission data could remove an LTI activity’s grade item and cause course and completion views to throw exceptions for other enrolled users.
TL-48541 Fixed doc block for is_user_access_prevented() in accesslib
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
Library updates:
TL-48504 Upgraded PHPUnit to latest version to fix a security problem (CVE-2026-24765)
Contributions:
* Stefan Hanauska at Moodle - TL-47403
Release 16.49 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Bug fixes:
TL-48572 Fixed HR Import accepting incorrectly formatted date and datetime values for custom user profile fields
Release 15.54 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 14.57 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 13.65 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 12.80 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 11.80 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 10.81 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)
Release 9.86 (28th May 2026)
Security issues:
TL-48506 Fixed filename in prepared file path which should be a name only (CVE-2026-7275)
TL-48507 Fixed SQL injection risk in external database authentication plugin (CVE-2026-7274)