CVE-2026-27807: MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows
mediumvulnerability
security
Summary
MarkUs, a web application for student assignment submission and grading, has a vulnerability in versions before 2.9.4 where course instructors can upload YAML files (a file format for storing configuration data) with aliases enabled, potentially allowing malicious parsing. This is a type of XML entity expansion attack (where specially crafted files trick a parser into processing dangerous code).
Solution / Mitigation
Update to version 2.9.4, which patches this issue.
Vulnerability Details
CVSS Score
4.9(medium)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack SophisticationModerate
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-27807
First tracked: March 6, 2026 at 03:07 AM
Classified by LLM (prompt v3) · confidence: 95%