{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25962", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:13:54.066Z", "datePublished": "2026-03-06T02:48:43.698Z", "dateUpdated": "2026-03-06T16:10:34.343Z"}, "containers": {"cna": {"title": "MarkUs: Zip bomb in config upload enables DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-409", "lang": "en", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5"}, {"name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4"}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"version": "< 2.9.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T02:48:43.698Z"}, "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, instructors can upload a zip file to provide an assignment configuration; students can upload a zip file for an assignment submission and indicate its contents should be extracted. This issue has been patched in version 2.9.4."}], "source": {"advisory": "GHSA-x8xv-j7fc-65x5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:50:47.797017Z", "id": "CVE-2026-25962", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:10:34.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25962", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-06T15:50:47.797017Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:50:48.781Z"}}], "cna": {"title": "MarkUs: Zip bomb in config upload enables DoS", "source": {"advisory": "GHSA-x8xv-j7fc-65x5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"status": "affected", "version": "< 2.9.4"}]}], "references": [{"url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5", "name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4", "name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, instructors can upload a zip file to provide an assignment configuration; students can upload a zip file for an assignment submission and indicate its contents should be extracted. This issue has been patched in version 2.9.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-409", "description": "CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T02:48:43.698Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25962", "state": "PUBLISHED", "dateUpdated": "2026-03-06T16:10:34.343Z", "dateReserved": "2026-02-09T17:13:54.066Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T02:48:43.698Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*", "matchCriteriaId": "68B46CED-C806-4F2A-B1C6-727EE540E7A2", "versionEndExcluding": "2.9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, instructors can upload a zip file to provide an assignment configuration; students can upload a zip file for an assignment submission and indicate its contents should be extracted. This issue has been patched in version 2.9.4."}, {"lang": "es", "value": "MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de tareas de estudiantes. Antes de la versi\u00f3n 2.9.4, MarkUs actualmente extrae archivos zip sin l\u00edmites de tama\u00f1o o de n\u00famero de entradas. Por ejemplo, los instructores pueden subir un archivo zip para proporcionar una configuraci\u00f3n de tarea; los estudiantes pueden subir un archivo zip para la entrega de una tarea e indicar que su contenido debe ser extra\u00eddo. Este problema ha sido parcheado en la versi\u00f3n 2.9.4."}], "id": "CVE-2026-25962", "lastModified": "2026-03-12T17:23:52.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T04:16:07.620", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-x8xv-j7fc-65x5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-409"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Markus", "source": "cna", "vendor": "MarkUsProject"}, "product": "markus", "vendor": "markusproject"}], "analysis": {"en": {"generated_at": "2026-04-17T12:28:23.569063+00:00", "value": {"mitigation_remediation": ["Upgrade MarkUs to version 2.9.4 or later, which implements limits on zip extraction size and entry count.", "If an upgrade cannot be performed immediately, prevent untrusted zip uploads by disabling the upload functionality or restricting file size before the extraction step.", "Implement system resource limits, such as setting disk quotas or using cgroup restrictions, to isolate the MarkUs process and protect against disk exhaustion."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of MarkUs prior to version 2.9.4. This includes any instance of the MarkUs project software where assignment configuration uploads or student submissions are processed through the zip extraction module. Affected deployments would be those running older releases of the application, typically found in academic institutions using MarkUs for course management.", "description_and_impact": "MarkUs, a web application for student assignment submission and grading, extracts uploaded zip files without imposing size or entry-count limits. An instructor or student can upload a specially crafted zip file (a zip bomb) that expands to a vast number of files or consumes excessive disk space when decompressed, leading to a resource exhaustion attack that can stall the system, deny service to legitimate users, and potentially disrupt grading workflows. The weakness is categorized as CWE-409, reflecting insufficient restriction of file extraction scope.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity with potential for significant impact on availability. The EPSS score is below 1%, suggesting exploit attempts are currently rare or undetected, but the vulnerability does not appear in the CISA KEV catalog. Because the malicious zip file can be uploaded through the user interface, the attack vector is likely local or remote (depending on access to the upload functionality). Exploitation requires only the ability to submit or configure an assignment, a capability typical for instructors or students, thereby making the threat relevant to a broad user base."}}}}, "created": "2026-03-06T14:56:11.629771+00:00", "updated": "2026-04-17T12:30:06.282809+00:00", "vendors": ["markusproject", "markusproject$PRODUCT$markus"]}