Skip to main content

Markus CVE-2026-25057

CRITICAL
Relative Path Traversal (CWE-23)
2026-02-09 security-advisories@github.com
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 19, 2026 - 20:25 nvd
Patch available
CVE Published
Feb 09, 2026 - 20:15 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

AnalysisAI

MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.

Technical ContextAI

MarkUs < 2.9.1 has a CWE-23 relative path traversal that allows users to access files outside their intended scope, potentially reading other students' submissions or instructor grading data.

RemediationAI

Update MarkUs to 2.9.1+.

Share

CVE-2026-25057 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy