CVE-2026-25962 identifies a vulnerability in the Markus web application, a platform used for submission and grading of student assignments. Prior to version 2.9.4, Markus extracts uploaded zip files without imposing any limits on the size or number of entries within the archive. This improper handling of highly compressed data (classified under CWE-409: Improper Handling of Highly Compressed Data) allows an attacker with low-level privileges—such as an instructor uploading assignment configurations or a student submitting assignments—to upload specially crafted zip files that expand to consume excessive disk space or memory during extraction. This data amplification can overwhelm system resources, leading to denial of service (DoS) conditions that disrupt availability of the Markus service. The vulnerability does not impact confidentiality or integrity, as it does not allow unauthorized data access or modification. Exploitation requires authenticated access but no user interaction beyond the upload itself. The issue was publicly disclosed and patched in Markus version 2.9.4, which introduces limits on zip file extraction to prevent resource exhaustion. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 6.5, reflecting a medium severity level primarily due to the availability impact and ease of exploitation by authenticated users.

The primary impact of CVE-2026-25962 is denial of service through resource exhaustion on servers running vulnerable Markus versions. Educational institutions relying on Markus for assignment submission and grading could experience service outages or degraded performance, disrupting academic workflows and potentially delaying grading processes. Since Markus is often deployed in university or school environments, the availability impact could affect large user bases including students and instructors. The vulnerability requires authenticated access, limiting exploitation to legitimate users, but this does not eliminate risk as students or instructors can be malicious or compromised. There is no direct impact on confidentiality or data integrity, so data breaches or unauthorized data manipulation are not concerns here. However, prolonged downtime or repeated DoS attacks could undermine trust in the platform and force costly incident response or system recovery efforts. Organizations with automated grading pipelines or integrations dependent on Markus may face cascading operational impacts. The absence of known exploits in the wild reduces immediate risk but does not preclude future attacks, especially as the vulnerability is publicly known and patched.

The primary mitigation is to upgrade Markus installations to version 2.9.4 or later, where the vulnerability is patched by imposing limits on zip file extraction size and entry count. Until upgrades can be applied, organizations should implement strict input validation and file size limits on uploaded zip files at the web application firewall or reverse proxy level. Monitoring and alerting on unusually large or numerous file extraction operations can help detect exploitation attempts. Role-based access controls should be reviewed to ensure only trusted users can upload zip files for extraction. Rate limiting uploads and isolating the extraction process in sandboxed environments with resource quotas can reduce the impact of potential attacks. Additionally, administrators should audit logs for suspicious upload patterns and educate users about the risks of uploading untrusted archives. Regular backups and incident response plans should be updated to handle potential service disruptions. Finally, security teams should stay informed about Markus updates and vulnerability disclosures to respond promptly to emerging threats.