CVE-2026-25126

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41	Patch
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-29 22:15

Updated : 2026-02-20 20:46

NVD link : CVE-2026-25126

Mitre link : CVE-2026-25126

CVE.ORG link : CVE-2026-25126

JSON object : View

Products Affected

polarlearn

polarlearn

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-25126", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.8}]}, "published": "2026-01-29T22:15:56.423", "references": [{"url": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body\u2019s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `\"x\"`) as `direction`. Downstream (`VoteServer`) treats any non-`\"up\"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability."}, {"lang": "es", "value": "PolarLearn es un programa de aprendizaje gratuito y de c\u00f3digo abierto. Antes de la versi\u00f3n 0-PRERELEASE-15, la ruta de la API de votaci\u00f3n ('POST /api/v1/forum/vote') conf\u00eda en el valor 'direction' del cuerpo JSON sin validaci\u00f3n en tiempo de ejecuci\u00f3n. Los tipos de TypeScript no se aplican en tiempo de ejecuci\u00f3n, por lo que un atacante puede enviar cadenas arbitrarias (por ejemplo, 'x') como 'direction'. En el flujo descendente ('VoteServer') trata cualquier valor que no sea 'up' y no sea 'null' como un voto negativo y persiste el valor inv\u00e1lido en 'votes_data'. Esto puede ser explotado para eludir la l\u00f3gica de negocio prevista. La versi\u00f3n 0-PRERELEASE-15 corrige la vulnerabilidad."}], "lastModified": "2026-02-20T20:46:35.787", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "98DA1036-1EFB-46E7-9C83-425B1C6E6F23"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}