Markus Security Vulnerabilities and Issues — Markus CVE List

MarkusprojectMarkus

8 matches found

CVE•added 2024/11/18 4:57 p.m.•56 views

CVE-2024-47820

CVE-2024-47820 : MarkUs, a web application for submitting and grading student work, is vulnerable to path traversal in versions prior to 2.4.8. An authenticated instructor can download files from the web server based on file permissions. MarkUs v2.4.8 fixes the issue; there are no application-lev...

5.7CVSS5.5AI score0.00729EPSS

CVE•added 2024/11/18 7:52 p.m.•53 views

CVE-2024-51499

CVE-2024-51499 (MarkUs) : Affected software is MarkUs web app (Rails) versions before 2.4.8. The root cause is an arbitrary file write vulnerability exposed through the SubmissionsController.update_files method, allowing authenticated users (e.g., students) to write files to arbitrary server path...

8.8CVSS7.3AI score0.00696EPSS

CVE•added 2024/11/18 8:4 p.m.•52 views

CVE-2024-51743

CVE-2024-51743 affects MarkUs up to version 2.4.8, where an arbitrary file-write vulnerability in the update/upload/create file methods in Controllers allows authenticated instructors to write files to locations on the server. The underlying issue can lead to delayed remote code execution if a Ru...

8.8CVSS8.9AI score0.00723EPSS

CVE•added 2026/02/09 7:16 p.m.•25 views

CVE-2026-25057

CVE-2026-25057 affects MarkUs prior to version 2.9.1. Instructors can upload a zip file to create an assignment from an exported configuration, and the zip entry names are used to construct paths for writing files to disk without validating those paths. This can allow arbitrary path usage during ...

9.1CVSS5.6AI score0.00469EPSS

Web

CVE•added 2026/02/09 6:39 p.m.•18 views

CVE-2026-24900

An active vulnerability in MarkUs prior to version 2.9.1: the submissions/html_content endpoint accepts a select_file_id parameter that is not properly scoped to the requesting user, allowing access to arbitrary submission file contents by id. Impact is confidentiality (HIGH) without integrity/av...

6.5CVSS5.7AI score0.00251EPSS

Web

CVE•added 2026/03/05 8:6 p.m.•18 views

CVE-2026-28405

MarkUs (web-based submission and grading system) is affected by CVE-2026-28405 through the submissions/html_content route, where content from a student-submitted file is rendered without sanitization prior to version 2.9.1. The root cause is lack of input sanitization in how submitted files are r...

8CVSS5.8AI score0.00223EPSS

CVE•added 2026/03/06 2:48 a.m.•15 views

CVE-2026-27807

MarkUs (web app for assignment submission/grading) is affected by CVE-2026-27807 due to YAML files parsed with aliases enabled, enabling a billion‑laughs style DoS. The issue affects configurations uploaded prior to v2.9.4, where YAML parsing could be abused to exhaust resources. The CVSS vector ...

4.9CVSS5.8AI score0.00284EPSS

CVE•added 2026/03/06 2:48 a.m.•14 views

CVE-2026-25962

MarkUs (web application for student submissions and grading) is vulnerable prior to version 2.9.4 due to zip extraction without size or entry-count limits. This can allow a DoS via crafted zip uploads (e.g., for configuration or submissions). The issue is patched in version 2.9.4. If exploiting, ...

6.5CVSS5.8AI score0.0026EPSS