{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28405", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-27T15:33:57.289Z", "datePublished": "2026-03-05T20:06:13.433Z", "dateUpdated": "2026-03-06T17:04:05.190Z"}, "containers": {"cna": {"title": "MarkUs: Stored XSS in Submission HTML Preview Enables Instructor-Context Actions", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893"}, {"name": "https://github.com/MarkUsProject/Markus/commit/55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036", "tags": ["x_refsource_MISC"], "url": "https://github.com/MarkUsProject/Markus/commit/55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036"}, {"name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1"}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"version": "< 2.9.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:06:13.433Z"}, "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1."}], "source": {"advisory": "GHSA-p5pc-pxrj-3893", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T17:03:57.120331Z", "id": "CVE-2026-28405", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:04:05.190Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28405", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T17:03:57.120331Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T17:04:00.884Z"}}], "cna": {"title": "MarkUs: Stored XSS in Submission HTML Preview Enables Instructor-Context Actions", "source": {"advisory": "GHSA-p5pc-pxrj-3893", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MarkUsProject", "product": "Markus", "versions": [{"status": "affected", "version": "< 2.9.1"}]}], "references": [{"url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893", "name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MarkUsProject/Markus/commit/55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036", "name": "https://github.com/MarkUsProject/Markus/commit/55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T20:06:13.433Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28405", "state": "PUBLISHED", "dateUpdated": "2026-03-06T17:04:05.190Z", "dateReserved": "2026-02-27T15:33:57.289Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T20:06:13.433Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D6B2B7B-F46C-4CEE-86D4-B25D3746747A", "versionEndExcluding": "2.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1."}, {"lang": "es", "value": "MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de tareas de estudiantes. Antes de la versi\u00f3n 2.9.1, la ruta courses/&lt;:course_id&gt;/assignments/&lt;:assignment_id&gt;/submissions/html_content lee el contenido de un archivo enviado por un estudiante y los renderiza sin sanitizaci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 2.9.1."}], "id": "CVE-2026-28405", "lastModified": "2026-03-10T19:53:01.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-05T21:16:21.707", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/MarkUsProject/Markus/commit/55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.9.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Markus", "source": "cna", "vendor": "MarkUsProject"}, "product": "markus", "vendor": "markusproject"}], "analysis": {"en": {"generated_at": "2026-04-16T12:10:33.182005+00:00", "value": {"mitigation_remediation": ["Update Markus to version 2.9.1 or later, which removes the unsanitized rendering path.", "If an update is not immediately possible, disable the HTML preview feature or enforce strict MIME type validation so that only plain text files are allowed for submission.", "Ensure that any custom configuration does not re\u2011enable unsanitized rendering; review deployment settings and templates for hardcoded references to the html_content route."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting in instructor context"}, "threat_synthesis": {"affected_systems": "MarkUsProject\u2019s Markus application, versions prior to 2.9.1. The vulnerability is fixed in v2.9.1. No other versions are confirmed affected.", "description_and_impact": "The vulnerability resides in the /courses/<course_id>/assignments/<assignment_id>/submissions/html_content route, where content from student\u2011submitted HTML files is rendered without sanitization. Attackers can embed malicious scripts that execute in the browser of any instructor who views the affected submission, potentially hijacking their session or exfiltrating sensitive data. This is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS base score of 8.0 classifies this as a high\u2011severity flaw. The EPSS score of less than 1% indicates a low probability of exploitation at present, and it has not been listed in CISA\u2019s KEV catalog. Attackers can exploit the flaw by submitting a crafted assignment as a student and later tricking an instructor into opening that submission; no privileged access is required beyond the ability to view the page."}}}}, "created": "2026-03-06T15:01:07.312456+00:00", "updated": "2026-04-16T12:15:35.092574+00:00", "vendors": ["markusproject", "markusproject$PRODUCT$markus"]}