CVE-2026-25057: CWE-23: Relative Path Traversal in MarkUsProject Markus
CVE-2026-25057 is a critical relative path traversal vulnerability in MarkUsProject's Markus web application versions prior to 2. 9. 1. It allows authenticated instructors with high privileges to upload specially crafted zip files containing malicious path entries, enabling arbitrary file writes on the server. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is fixed in version 2. 9. 1. No known exploits are currently reported in the wild. European educational institutions using Markus versions below 2.
AI Analysis
Technical Summary
MarkUsProject's Markus is a web application designed to facilitate submission and grading of student assignments. Versions prior to 2.9.1 contain a critical security flaw classified as CWE-23: Relative Path Traversal. This vulnerability arises from insecure handling of zip file uploads by instructors when creating assignments from exported configurations. Specifically, the application does not properly validate or sanitize the entry names within the uploaded zip archive, allowing path traversal sequences (e.g., '../') to manipulate file paths. Consequently, an authenticated instructor with the ability to upload zip files can craft archive entries that write files outside the intended directory structure on the server's filesystem. This can lead to overwriting critical files, uploading malicious scripts, or modifying configuration files, resulting in full compromise of confidentiality, integrity, and availability (CIA triad). The CVSS v3.1 score of 9.1 reflects the high severity, with network attack vector, low attack complexity, required high privileges, no user interaction, and scope change. The vulnerability was publicly disclosed on February 9, 2026, and fixed in Markus version 2.9.1. No known exploits have been reported in the wild yet, but the potential impact is severe given the nature of the flaw and the privileged access required to exploit it.
Potential Impact
For European organizations, particularly educational institutions using Markus for assignment management, this vulnerability poses a significant risk. Exploitation could allow attackers to overwrite or create arbitrary files on the server, potentially leading to unauthorized code execution, data theft, or denial of service. This threatens sensitive student data confidentiality and the integrity of grading processes. The availability of the service could also be disrupted, impacting academic operations. Given the critical CVSS score and the ability to escalate impact beyond the initially affected component (scope change), organizations face risks of widespread compromise within their infrastructure if Markus servers are connected to broader networks. The requirement for authenticated high-privilege users limits exposure but insider threats or compromised instructor accounts could be leveraged. The lack of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
European organizations should immediately upgrade all Markus instances to version 2.9.1 or later, where the vulnerability is patched. Until upgrades are complete, implement strict access controls to limit instructor upload permissions and monitor for unusual file upload activity. Employ network segmentation to isolate Markus servers from critical infrastructure. Validate and sanitize all uploaded zip file contents at the application or proxy level to detect and block path traversal sequences. Conduct regular audits of file system integrity on Markus servers to detect unauthorized changes. Educate instructors and administrators about the risks of compromised credentials and enforce strong authentication mechanisms, including multi-factor authentication. Maintain up-to-date backups of critical data to enable recovery in case of compromise. Finally, monitor threat intelligence sources for emerging exploit reports related to CVE-2026-25057.
Affected Countries
United Kingdom, Germany, France, Netherlands, Sweden, Finland, Belgium, Italy, Spain
CVE-2026-25057: CWE-23: Relative Path Traversal in MarkUsProject Markus
Description
CVE-2026-25057 is a critical relative path traversal vulnerability in MarkUsProject's Markus web application versions prior to 2. 9. 1. It allows authenticated instructors with high privileges to upload specially crafted zip files containing malicious path entries, enabling arbitrary file writes on the server. This can lead to full compromise of confidentiality, integrity, and availability of the affected system. The vulnerability is fixed in version 2. 9. 1. No known exploits are currently reported in the wild. European educational institutions using Markus versions below 2.
AI-Powered Analysis
Technical Analysis
MarkUsProject's Markus is a web application designed to facilitate submission and grading of student assignments. Versions prior to 2.9.1 contain a critical security flaw classified as CWE-23: Relative Path Traversal. This vulnerability arises from insecure handling of zip file uploads by instructors when creating assignments from exported configurations. Specifically, the application does not properly validate or sanitize the entry names within the uploaded zip archive, allowing path traversal sequences (e.g., '../') to manipulate file paths. Consequently, an authenticated instructor with the ability to upload zip files can craft archive entries that write files outside the intended directory structure on the server's filesystem. This can lead to overwriting critical files, uploading malicious scripts, or modifying configuration files, resulting in full compromise of confidentiality, integrity, and availability (CIA triad). The CVSS v3.1 score of 9.1 reflects the high severity, with network attack vector, low attack complexity, required high privileges, no user interaction, and scope change. The vulnerability was publicly disclosed on February 9, 2026, and fixed in Markus version 2.9.1. No known exploits have been reported in the wild yet, but the potential impact is severe given the nature of the flaw and the privileged access required to exploit it.
Potential Impact
For European organizations, particularly educational institutions using Markus for assignment management, this vulnerability poses a significant risk. Exploitation could allow attackers to overwrite or create arbitrary files on the server, potentially leading to unauthorized code execution, data theft, or denial of service. This threatens sensitive student data confidentiality and the integrity of grading processes. The availability of the service could also be disrupted, impacting academic operations. Given the critical CVSS score and the ability to escalate impact beyond the initially affected component (scope change), organizations face risks of widespread compromise within their infrastructure if Markus servers are connected to broader networks. The requirement for authenticated high-privilege users limits exposure but insider threats or compromised instructor accounts could be leveraged. The lack of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.
Mitigation Recommendations
European organizations should immediately upgrade all Markus instances to version 2.9.1 or later, where the vulnerability is patched. Until upgrades are complete, implement strict access controls to limit instructor upload permissions and monitor for unusual file upload activity. Employ network segmentation to isolate Markus servers from critical infrastructure. Validate and sanitize all uploaded zip file contents at the application or proxy level to detect and block path traversal sequences. Conduct regular audits of file system integrity on Markus servers to detect unauthorized changes. Educate instructors and administrators about the risks of compromised credentials and enforce strong authentication mechanisms, including multi-factor authentication. Maintain up-to-date backups of critical data to enable recovery in case of compromise. Finally, monitor threat intelligence sources for emerging exploit reports related to CVE-2026-25057.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-28T14:50:47.889Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 698a36074b57a58fa16ab1c3
Added to database: 2/9/2026, 7:31:19 PM
Last enriched: 2/17/2026, 9:42:52 AM
Last updated: 2/21/2026, 2:19:20 AM
Views: 33
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27203: CWE-15: External Control of System or Configuration Setting in YosefHayim ebay-mcp
HighCVE-2026-27168: CWE-122: Heap-based Buffer Overflow in HappySeaFox sail
HighCVE-2026-27134: CWE-287: Improper Authentication in strimzi strimzi-kafka-operator
HighCVE-2026-27190: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in denoland deno
HighCVE-2026-27026: CWE-770: Allocation of Resources Without Limits or Throttling in py-pdf pypdf
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.