CVE-2026-28405
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks in MarkUs assignment submission system. Attackers can inject malicious scripts into student-submitted files that execute when instructors view the content. All MarkUs instances running versions before 2.9.1 are affected.
💻 Affected Systems
- MarkUs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal instructor/admin session cookies, perform actions as authenticated users, or deploy malware to users' browsers.
Likely Case
Session hijacking, credential theft, or defacement of the grading interface through malicious script execution.
If Mitigated
Limited impact with proper content security policies and browser security features, though XSS could still execute in some contexts.
🎯 Exploit Status
Requires student-level access to submit malicious files, then instructor/admin to view them. No authentication bypass needed beyond student account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1
Vendor Advisory: https://github.com/MarkUsProject/Markus/security/advisories/GHSA-p5pc-pxrj-3893
Restart Required: Yes
Instructions:
1. Backup your MarkUs instance. 2. Update to version 2.9.1 via git: 'git pull origin main' or download release. 3. Run bundle install. 4. Restart the application server.
🔧 Temporary Workarounds
Disable HTML content viewing
allTemporarily disable the vulnerable route or restrict access to it
Modify routes.rb to comment out or restrict the affected route
Implement WAF rules
allAdd web application firewall rules to block XSS payloads in file content
🧯 If You Can't Patch
- Restrict student file uploads to non-HTML formats only
- Implement strict Content Security Policy headers to mitigate script execution
🔍 How to Verify
Check if Vulnerable:
Check if MarkUs version is below 2.9.1 and the /courses/*/assignments/*/submissions/html_content route existsCheck Version:
Check config/initializers/version.rb or run 'git describe --tags' in MarkUs directoryVerify Fix Applied:
Verify version is 2.9.1 or higher and test that HTML content is properly sanitized when viewing submissions📡 Detection & Monitoring
Log Indicators:
- Unusual file submissions with script tags
- Multiple failed attempts to access vulnerable route
Network Indicators:
- HTTP requests to the vulnerable route with suspicious parameters
SIEM Query:
source="markus_logs" AND (uri="/courses/*/assignments/*/submissions/html_content" OR message="script")