Markus
CVE-2026-28405
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
AnalysisAI
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Markus. MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 2.9.1.. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or g
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of servic
Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in vers
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today