CVE-2026-25221
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.
Analysis
PolarLearn versions 0-PRERELEASE-15 and earlier lack proper state parameter validation in OAuth 2.0 authentication, enabling attackers to conduct login CSRF attacks against GitHub and Google login flows. An attacker can pre-authenticate a victim's session and trick them into logging into the attacker's account, causing the victim's data and academic progress to be stored on the attacker's account instead. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all PolarLearn deployments and versions in use; notify users of the vulnerability and advise temporary password changes. Within 7 days: Apply the available vendor patch to all PolarLearn instances and validate the update in a test environment first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today