CVE-2026-28405
Published: 05 March 2026
Summary
CVE-2026-28405 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Markusproject Markus. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents XSS by requiring filtering or encoding of student-submitted file contents before rendering in the html_content route.
Ensures timely identification, reporting, and patching of the XSS flaw as fixed in MarkUs version 2.9.1.
Validates uploaded file contents to block malicious HTML/JavaScript payloads before storage and rendering.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct injection/execution of attacker-controlled JavaScript in the victim's browser context (T1059.007) and directly facilitates session hijacking plus cookie theft (T1185, T1539) when the unsanitized submission is viewed.
NVD Description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
Deeper analysisAI
CVE-2026-28405 is a cross-site scripting vulnerability (CWE-79) affecting MarkUs, an open-source web application used for the submission and grading of student assignments. In versions prior to 2.9.1, the route `/courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content` reads the contents of a student-submitted file and renders it without proper sanitization, enabling the injection and execution of malicious scripts. The vulnerability was published on 2026-03-05 and carries a CVSS v3.1 base score of 8.0 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
An authenticated user with low privileges, such as a student, can exploit this vulnerability by uploading a file containing malicious HTML or JavaScript payload. Exploitation requires a victim—typically an instructor or another authorized user—to access the affected route for that submission, triggering the unsanitized rendering and script execution in the victim's browser context. Successful attacks can result in high-impact compromise of confidentiality, integrity, and availability, such as session hijacking, data theft, or further system manipulation.
The issue has been addressed in MarkUs version 2.9.1, where sanitization was added to prevent script injection. Administrators should upgrade to this patched release immediately. Additional details on the fix are provided in the GitHub security advisory (GHSA-p5pc-pxrj-3893), release notes for v2.9.1, and the specific patching commit (55d74f2ddb72d2ec2f29aa2b4cb6b2da10755036).
Details
- CWE(s)