CVE-2026-25057

Critical

Published: 09 February 2026

Published

09 February 2026

Modified

19 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 29.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are…

used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of ZIP file entry names to block path traversal sequences, directly preventing arbitrary file writes to disk.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by upgrading to MarkUs 2.9.1 or later, which fixes the unchecked ZIP path handling.

AC-3 Access Enforcement partial match

prevent

Enforces access control policies to restrict file write operations by instructors to only intended directories, limiting path traversal impact.

Security SummaryAI

CVE-2026-25057 is a path traversal vulnerability (CWE-23) affecting MarkUs, an open-source web application used for the submission and grading of student assignments. In versions prior to 2.9.1, the feature allowing instructors to upload a ZIP file for creating an assignment from an exported configuration—accessible via the endpoint courses/<:course_id>/assignments/upload_config_files—fails to validate the entry names within the ZIP archive. These unchecked entry names are directly used to construct file paths for writing to the server's disk, enabling attackers to write files to arbitrary locations.

An authenticated instructor (PR:H per CVSS v3.1) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact scope change (S:C), allowing full compromise of confidentiality (C:H), integrity (I:H), and availability (A:H) on the affected system, such as overwriting critical files or planting malicious code outside the intended directory.

The vulnerability is addressed in MarkUs version 2.9.1, as detailed in the project's GitHub security advisory (GHSA-mccg-p332-252h), release notes, and the fixing commit (0ca002a1f0071c7a00dbb2ed34fede57323c5dc7). Security practitioners should upgrade to 2.9.1 or later and review access controls for instructor roles to mitigate risks from privileged users.

Details

CWE(s): CWE-23

Affected Products

markusproject

markus

≤ 2.9.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in public-facing web application (MarkUs) via authenticated ZIP upload endpoint enables arbitrary file write, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7
Patch · security-advisories@github.com
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1
Product, Release Notes · security-advisories@github.com
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h
Vendor Advisory · security-advisories@github.com