CVE-2026-25057
Published: 09 February 2026
Summary
CVE-2026-25057 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Markusproject Markus. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of ZIP file entry names to block path traversal sequences, directly preventing arbitrary file writes to disk.
Mandates timely flaw remediation by upgrading to MarkUs 2.9.1 or later, which fixes the unchecked ZIP path handling.
Enforces access control policies to restrict file write operations by instructors to only intended directories, limiting path traversal impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal vulnerability in public-facing web application (MarkUs) via authenticated ZIP upload endpoint enables arbitrary file write, directly mapping to exploitation of public-facing applications.
NVD Description
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are…
more
used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.
Deeper analysisAI
CVE-2026-25057 is a path traversal vulnerability (CWE-23) affecting MarkUs, an open-source web application used for the submission and grading of student assignments. In versions prior to 2.9.1, the feature allowing instructors to upload a ZIP file for creating an assignment from an exported configuration—accessible via the endpoint courses/<:course_id>/assignments/upload_config_files—fails to validate the entry names within the ZIP archive. These unchecked entry names are directly used to construct file paths for writing to the server's disk, enabling attackers to write files to arbitrary locations.
An authenticated instructor (PR:H per CVSS v3.1) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact scope change (S:C), allowing full compromise of confidentiality (C:H), integrity (I:H), and availability (A:H) on the affected system, such as overwriting critical files or planting malicious code outside the intended directory.
The vulnerability is addressed in MarkUs version 2.9.1, as detailed in the project's GitHub security advisory (GHSA-mccg-p332-252h), release notes, and the fixing commit (0ca002a1f0071c7a00dbb2ed34fede57323c5dc7). Security practitioners should upgrade to 2.9.1 or later and review access controls for instructor roles to mitigate risks from privileged users.
Details
- CWE(s)