Description
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.
Published: 2026-02-09
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the lack of path validation when extracting a ZIP file uploaded through the assignment configuration import. An attacker who can supply a crafted ZIP file can create filenames containing directory traversal characters, causing the server to write files to arbitrary locations on the filesystem. If the attacker can place an executable or overwrite configuration files, this results in remote code execution or further compromise of the MarkUs instance. The weakness is a classic path traversal flaw (CWE‑23).

Affected Systems

MarkUs Project MarkUs is affected. All releases before version 2.9.1 contain the flaw. The upload configuration endpoint (courses/<:course_id>/assignments/upload_config_files) is vulnerable. The issue has been fixed in release 2.9.1. No other MarkUs versions are mentioned as affected.

Risk and Exploitability

CVSS score of 9.1 signals a critical vulnerability. However, the EPSS score of less than 1% indicates that the probability of exploitation in the wild is low at present, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector requires authenticated access as an instructor or a role with permission to upload assignment configurations. Once the attacker provides a malicious ZIP file, the unchecked paths allow arbitrary file creation, which an attacker can use to deliver or execute code on the server. The vulnerability is mitigated by upgrading to version 2.9.1, which includes proper path validation.

Generated by OpenCVE AI on April 17, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MarkUs to version 2.9.1 or later, which properly sanitizes ZIP entry names before extraction.
  • Restrict or temporarily disable the upload_config_files endpoint to trusted users only until the patch is applied.
  • If an upgrade is not immediately possible, implement a server‑side check that rejects ZIP entries containing directory traversal or absolute paths, and verify that extracted files reside within the intended assignment directory.
  • Consider configuring your web server or application firewall to block unexpected file writes or detect anomalous race conditions.

Generated by OpenCVE AI on April 17, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Markusproject
Markusproject markus
Vendors & Products Markusproject
Markusproject markus

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.
Title Zip Slip in MarkUs config upload allowing RCE
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Markusproject Markus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:52.427Z

Reserved: 2026-01-28T14:50:47.889Z

Link: CVE-2026-25057

cve-icon Vulnrichment

Updated: 2026-02-10T15:32:12.424Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:56.550

Modified: 2026-02-19T20:25:55.387

Link: CVE-2026-25057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses