{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25057", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.889Z", "datePublished": "2026-02-09T19:16:55.980Z", "dateUpdated": "2026-02-10T16:00:52.427Z"}, "containers": {"cna": {"title": "Zip Slip in MarkUs config upload allowing RCE", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h"}, {"name": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7", "tags": ["x_refsource_MISC"], "url": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7"}, {"name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1"}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"version": "< 2.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:16:55.980Z"}, "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1."}], "source": {"advisory": "GHSA-mccg-p332-252h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:32:11.727315Z", "id": "CVE-2026-25057", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:00:52.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25057", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-10T15:32:11.727315Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:32:12.424Z"}}], "cna": {"title": "Zip Slip in MarkUs config upload allowing RCE", "source": {"advisory": "GHSA-mccg-p332-252h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"status": "affected", "version": "< 2.9.1"}]}], "references": [{"url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h", "name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7", "name": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:16:55.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25057", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:00:52.427Z", "dateReserved": "2026-01-28T14:50:47.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T19:16:55.980Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D6B2B7B-F46C-4CEE-86D4-B25D3746747A", "versionEndExcluding": "2.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1."}, {"lang": "es", "value": "MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de trabajos de estudiantes. Antes de 2.9.1, los instructores pueden subir un archivo zip para crear una tarea a partir de una configuraci\u00f3n exportada (courses/&lt;:course_id&gt;/assignments/upload_config_files). Los nombres de las entradas del archivo zip subido se utilizan para crear rutas para escribir archivos en el disco sin verificar estas rutas. Esta vulnerabilidad est\u00e1 corregida en 2.9.1."}], "id": "CVE-2026-25057", "lastModified": "2026-02-19T20:25:55.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:56.550", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.1)"}}], "product": "markus", "vendor": "markusproject"}], "analysis": {"en": {"generated_at": "2026-04-17T21:17:42.424821+00:00", "value": {"mitigation_remediation": ["Upgrade MarkUs to version 2.9.1 or later, which properly sanitizes ZIP entry names before extraction.", "Restrict or temporarily disable the upload_config_files endpoint to trusted users only until the patch is applied.", "If an upgrade is not immediately possible, implement a server\u2011side check that rejects ZIP entries containing directory traversal or absolute paths, and verify that extracted files reside within the intended assignment directory.", "Consider configuring your web server or application firewall to block unexpected file writes or detect anomalous race conditions."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "MarkUs Project MarkUs is affected. All releases before version 2.9.1 contain the flaw. The upload configuration endpoint (courses/<:course_id>/assignments/upload_config_files) is vulnerable. The issue has been fixed in release 2.9.1. No other MarkUs versions are mentioned as affected.", "description_and_impact": "The vulnerability arises from the lack of path validation when extracting a ZIP file uploaded through the assignment configuration import. An attacker who can supply a crafted ZIP file can create filenames containing directory traversal characters, causing the server to write files to arbitrary locations on the filesystem. If the attacker can place an executable or overwrite configuration files, this results in remote code execution or further compromise of the MarkUs instance. The weakness is a classic path traversal flaw (CWE\u201123).", "risk_and_exploitability": "CVSS score of 9.1 signals a critical vulnerability. However, the EPSS score of less than 1% indicates that the probability of exploitation in the wild is low at present, and the vulnerability is not listed in CISA's KEV catalog. The likely attack vector requires authenticated access as an instructor or a role with permission to upload assignment configurations. Once the attacker provides a malicious ZIP file, the unchecked paths allow arbitrary file creation, which an attacker can use to deliver or execute code on the server. The vulnerability is mitigated by upgrading to version 2.9.1, which includes proper path validation."}}}}, "created": "2026-02-10T11:35:16.257394+00:00", "updated": "2026-04-17T21:30:28.384099+00:00", "vendors": ["markusproject", "markusproject$PRODUCT$markus"]}