What is the CVSS score of CVE-2026-25126?

CVE-2026-25126 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Polarlearn are affected by CVE-2026-25126?

PolarLearn installations prior to version 0-PRERELEASE-15 contain an API validation flaw that allows attackers to manipulate forum voting functionality through malicious requests.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25126?

Yes, a public proof-of-concept exploit is available for CVE-2026-25126. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25126?

Within 24 hours: Identify all PolarLearn instances in your environment and document their current versions. Within 7 days: Apply the available patch to all affected PolarLearn deployments and validate successful installation. Within 30 days: Conduct a security audit of forum voting records to identify any suspicious activity during the vulnerable period and implement input validation testing in your deployment pipeline.

Polarlearn CVE-2026-25126

HIGH

Improper Input Validation (CWE-20)

2026-01-29 security-advisories@github.com

Code Injection Polarlearn

7.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:00 vuln.today

PoC Detected

Feb 20, 2026 - 20:46 vuln.today

Public exploit code

Patch released

Feb 20, 2026 - 20:46 nvd

Patch available

CVE Published

Jan 29, 2026 - 22:15 nvd

HIGH 7.1

DescriptionGitHub Advisory

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (POST /api/v1/forum/vote) trusts the JSON body’s direction value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., "x") as direction. Downstream (VoteServer) treats any non-"up" and non-null value as a downvote and persists the invalid value in votes_data. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

AnalysisAI

PolarLearn versions prior to 0-PRERELEASE-15 fail to validate the direction parameter in the forum vote API endpoint, allowing authenticated attackers to submit arbitrary values that bypass business logic and corrupt vote data. Public exploit code exists for this vulnerability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send POST request to /api/v1/forum/vote

Exploit

Inject arbitrary string in direction JSON field

Execution

Bypass vote validation logic

Impact

Persist invalid vote data in database