CVE-2026-25057

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7	Patch
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1	Product Release Notes
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 20:25

NVD link : CVE-2026-25057

Mitre link : CVE-2026-25057

CVE.ORG link : CVE-2026-25057

JSON object : View

Products Affected

markusproject

markus

CWE

CWE-23

Relative Path Traversal

{"id": "CVE-2026-25057", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}]}, "published": "2026-02-09T20:15:56.550", "references": [{"url": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}]}], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1."}, {"lang": "es", "value": "MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de trabajos de estudiantes. Antes de 2.9.1, los instructores pueden subir un archivo zip para crear una tarea a partir de una configuraci\u00f3n exportada (courses/<:course_id>/assignments/upload_config_files). Los nombres de las entradas del archivo zip subido se utilizan para crear rutas para escribir archivos en el disco sin verificar estas rutas. Esta vulnerabilidad est\u00e1 corregida en 2.9.1."}], "lastModified": "2026-02-19T20:25:55.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D6B2B7B-F46C-4CEE-86D4-B25D3746747A", "versionEndExcluding": "2.9.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}