CVE-2026-25057

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7	Patch
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1	Product Release Notes
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*

History

19 Feb 2026, 20:25

Type	Values Removed	Values Added
References	~~() https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7 -~~	() https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7 - Patch
References	~~() https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1 -~~	() https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1 - Product, Release Notes
References	~~() https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h -~~	() https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h - Vendor Advisory
CPE		cpe:2.3:a:markusproject:markus::::::::
First Time		Markusproject markus Markusproject
Summary		(es) MarkUs es una aplicación web para la entrega y calificación de trabajos de estudiantes. Antes de 2.9.1, los instructores pueden subir un archivo zip para crear una tarea a partir de una configuración exportada (courses/<:course_id>/assignments/upload_config_files). Los nombres de las entradas del archivo zip subido se utilizan para crear rutas para escribir archivos en el disco sin verificar estas rutas. Esta vulnerabilidad está corregida en 2.9.1.

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 20:25

NVD link : CVE-2026-25057

Mitre link : CVE-2026-25057

CVE.ORG link : CVE-2026-25057

JSON object : View

Products Affected

markusproject

markus

CWE

CWE-23

Relative Path Traversal

9.1 /10