cvedb.io
CVE-2026-25057
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-02-09T20:15:56.550 · Last modified 2026-06-17T10:24:03.453

Summary

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

Affected products

markusproject — markus

Does this affect you?

Add your gear to cvedb and we'll alert you only when markusproject ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.