Cyber Resilience

CVE-2026-25057

Critical

Published: 09 February 2026

Published
09 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0047 37.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25057 is a critical-severity Relative Path Traversal (CWE-23) vulnerability in Markusproject Markus. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25057 is a path traversal vulnerability (CWE-23) affecting MarkUs, an open-source web application used for the submission and grading of student assignments. In versions prior to 2.9.1, the feature allowing instructors to upload a ZIP file for creating an assignment from an exported configuration—accessible via the endpoint courses/<:course_id>/assignments/upload_config_files—fails to validate the entry names within the ZIP archive. These unchecked entry names are directly used to construct file paths for writing to the server's disk, enabling attackers to write files to arbitrary locations.

An authenticated instructor (PR:H per CVSS v3.1) with network access (AV:N) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high-impact scope change (S:C), allowing full compromise of confidentiality (C:H), integrity (I:H), and availability (A:H) on the affected system, such as overwriting critical files or planting malicious code outside the intended directory.

The vulnerability is addressed in MarkUs version 2.9.1, as detailed in the project's GitHub security advisory (GHSA-mccg-p332-252h), release notes, and the fixing commit (0ca002a1f0071c7a00dbb2ed34fede57323c5dc7). Security practitioners should upgrade to 2.9.1 or later and review access controls for instructor roles to mitigate risks from privileged users.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_config_files). The uploaded zip file entry names are…

more

used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in public-facing web application (MarkUs) via authenticated ZIP upload endpoint enables arbitrary file write, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28405Same product: Markusproject Markus
CVE-2026-8361Shared CWE-23
CVE-2025-25130Shared CWE-23
CVE-2026-33494Shared CWE-23
CVE-2026-30345Shared CWE-23
CVE-2026-29778Shared CWE-23
CVE-2025-20059Shared CWE-23
CVE-2025-54317Shared CWE-23
CVE-2024-56340Shared CWE-23
CVE-2026-32725Shared CWE-23

Affected Assets

markusproject
markus
≤ 2.9.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of ZIP file entry names to block path traversal sequences, directly preventing arbitrary file writes to disk.

prevent

Mandates timely flaw remediation by upgrading to MarkUs 2.9.1 or later, which fixes the unchecked ZIP path handling.

prevent

Enforces access control policies to restrict file write operations by instructors to only intended directories, limiting path traversal impact.

References