Markus
CVE-2026-24900
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.
AnalysisAI
Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).
Technical ContextAI
This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) affects Markus. MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.9.1.. Restrict network access to the affected service where possible.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or g
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing au
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of servic
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in vers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today