{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25126", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.540Z", "datePublished": "2026-01-29T22:06:37.224Z", "dateUpdated": "2026-02-02T16:34:07.949Z"}, "containers": {"cna": {"title": "PolarLearn's unvalidated vote direction allows vote count manipulation", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp"}, {"name": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41", "tags": ["x_refsource_MISC"], "url": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41"}], "affected": [{"vendor": "polarnl", "product": "PolarLearn", "versions": [{"version": "< 0-PRERELEASE-15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T22:06:37.224Z"}, "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body\u2019s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `\"x\"`) as `direction`. Downstream (`VoteServer`) treats any non-`\"up\"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability."}], "source": {"advisory": "GHSA-ghpx-5w2p-p3qp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T14:37:03.172573Z", "id": "CVE-2026-25126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:34:07.949Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T14:37:03.172573Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:37:07.311Z"}}], "cna": {"title": "PolarLearn's unvalidated vote direction allows vote count manipulation", "source": {"advisory": "GHSA-ghpx-5w2p-p3qp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "polarnl", "product": "PolarLearn", "versions": [{"status": "affected", "version": "< 0-PRERELEASE-15"}]}], "references": [{"url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp", "name": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41", "name": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body\u2019s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `\"x\"`) as `direction`. Downstream (`VoteServer`) treats any non-`\"up\"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T22:06:37.224Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25126", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:34:07.949Z", "dateReserved": "2026-01-29T14:03:42.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T22:06:37.224Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:polarlearn:polarlearn:-:*:*:*:*:*:*:*", "matchCriteriaId": "98DA1036-1EFB-46E7-9C83-425B1C6E6F23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body\u2019s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `\"x\"`) as `direction`. Downstream (`VoteServer`) treats any non-`\"up\"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability."}], "id": "CVE-2026-25126", "lastModified": "2026-02-20T20:46:35.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-29T22:15:56.423", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:30:46.771928+00:00", "value": {"mitigation_remediation": ["Upgrade PolarLearn to version 0-PRERELEASE-15 or later. This includes runtime validation of vote direction.", "Implement server\u2011side input validation for the direction field, allowing only the \u2018up\u2019 value or null.", "Review and monitor vote logs for abnormal voting patterns and enforce rate limiting to detect potential abuse."], "summary": {"action": "Apply Patch", "impact": "Vote Count Manipulation"}, "threat_synthesis": {"affected_systems": "PolarLearn, version prior to 0-PRERELEASE-15, is impacted. Any deployment using older versions without the patch is vulnerable.", "description_and_impact": "Vulnerability in the polarlearn API route allows an attacker to send arbitrary vote direction values that bypass normal validation, causing votes to be recorded as downvotes or invalid values. This can alter poll counts and subvert the intended business logic, potentially affecting system integrity and data accuracy.", "risk_and_exploitability": "With a CVSS score of 7.1, the issue is moderate to high severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the public API endpoint POST /api/v1/forum/vote, where an attacker can supply crafted payloads if no network restrictions are in place."}}}}, "created": "2026-01-30T08:42:30.574299+00:00", "updated": "2026-04-18T14:45:03.108433+00:00", "vendors": ["polarnl", "polarnl$PRODUCT$polarlearn"]}