CVE-2026-25057 – This vulnerability allows instructors to achiev... (How to Fix)

Q: What is the severity of CVE-2026-25057?

CVE-2026-25057 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows instructors to achieve arbitrary file write on the server by uploading specially crafted zip files. Attackers could write malicious files anywhere the application has write permissions, potentially leading to remote code execution. All MarkUs instances running versions before 2.9.1 are affected.

📋 TL;DR

This vulnerability allows instructors to achieve arbitrary file write on the server by uploading specially crafted zip files. Attackers could write malicious files anywhere the application has write permissions, potentially leading to remote code execution. All MarkUs instances running versions before 2.9.1 are affected.

💻 Affected Systems

Products:

MarkUs

Versions: All versions prior to 2.9.1

Operating Systems: All platforms running MarkUs

Default Config Vulnerable: ⚠️ Yes

Notes: Requires instructor-level access to exploit. Student accounts cannot trigger this vulnerability.

📦 What is this software?

Markus by Markusproject

View all CVEs affecting Markus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary file write allowing attackers to modify application files, create backdoors, or overwrite critical system files.

🟢

If Mitigated

Limited impact if file permissions are properly restricted and monitoring detects unusual file writes.

🌐 Internet-Facing: HIGH - Web application accessible over internet with authenticated exploit capability.

🏢 Internal Only: HIGH - Even internal-only instances can be exploited by compromised instructor accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires instructor credentials but is technically simple once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.1

Vendor Advisory: https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h

Restart Required: Yes

Instructions:

1. Backup your current MarkUs installation and database. 2. Update to MarkUs version 2.9.1 or later. 3. Restart the MarkUs application server. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable assignment configuration upload

all

Temporarily disable the vulnerable endpoint until patching is possible

# Modify web server configuration to block access to /courses/*/assignments/upload_config_files
# Example for nginx: location ~ ^/courses/.*/assignments/upload_config_files$ { return 403; }

Restrict instructor account access

all

Temporarily disable or restrict instructor accounts that don't need assignment creation capabilities

# Review and disable unnecessary instructor accounts in MarkUs admin interface

🧯 If You Can't Patch

Implement strict file permission controls to limit where MarkUs can write files
Deploy file integrity monitoring to detect unauthorized file writes in sensitive directories

🔍 How to Verify

Check if Vulnerable:

Check if MarkUs version is below 2.9.1. Review application logs for suspicious file uploads to the upload_config_files endpoint.

Check Version:

Check MarkUs version in admin interface or application configuration files

Verify Fix Applied:

Confirm MarkUs version is 2.9.1 or higher. Test that path traversal attempts in zip file names are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations outside expected directories
Multiple failed upload attempts with suspicious filenames
Access to upload_config_files endpoint with zip files containing path traversal sequences

Network Indicators:

Large or unusual zip file uploads to the vulnerable endpoint
POST requests to /courses/*/assignments/upload_config_files

SIEM Query:

source="markus_logs" AND (uri_path="/courses/*/assignments/upload_config_files" OR file_write_path CONTAINS "../")

📊 Metadata

CVE ID: CVE-2026-25057

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-23

EPSS Score: 0.04% exploit probability (12.1th percentile)

Published: February 9, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7 Patch
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1 Product,Release Notes
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25057, you might also want to check these: