CVE-2026-25057: MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able
criticalvulnerability
security
Summary
MarkUs is a web application for submitting and grading student assignments. Before version 2.9.1, instructors could upload a zip file to create assignments, but the application didn't properly validate the file paths inside the zip, allowing a path traversal attack (an exploit where attackers use special characters like "../" to write files outside the intended directory).
Solution / Mitigation
This vulnerability is fixed in version 2.9.1. Update MarkUs to version 2.9.1 or later.
Vulnerability Details
CVSS Score
9.1(critical)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack SophisticationTrivial
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25057
First tracked: February 15, 2026 at 08:37 PM
Classified by LLM (prompt v3) · confidence: 95%