CVE-2026-27807 is a vulnerability classified under CWE-776 (Improper Restriction of Recursive Entity References in DTDs) affecting the MarkUsProject's Markus web application, which is used for submission and grading of student assignments. The issue arises in versions prior to 2.9.4, where course instructors can upload YAML files to create or update entities such as assignment settings. These YAML files are parsed with aliases enabled, which allows recursive entity references. Improper handling of these recursive references can lead to XML entity expansion attacks, commonly known as 'billion laughs' or XML bomb attacks. Such attacks cause excessive resource consumption (CPU and memory), resulting in denial of service (DoS) conditions. The vulnerability requires authenticated access with instructor-level privileges to upload malicious YAML files, and no additional user interaction is necessary. The CVSS v3.1 score is 4.9 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact limited to availability. No known exploits have been reported in the wild. The issue was addressed and patched in Markus version 2.9.4 by restricting recursive entity references during YAML parsing. This vulnerability highlights the risks of insufficient input validation and parsing controls in web applications handling user-uploaded configuration files.

The primary impact of CVE-2026-27807 is denial of service through resource exhaustion caused by recursive entity expansion during YAML file parsing. This can disrupt the availability of the Markus application, preventing instructors and students from accessing assignment submission and grading functionalities. While confidentiality and integrity are not directly affected, prolonged downtime can hinder educational workflows and delay grading processes. Organizations relying on Markus for course management may experience operational disruptions, especially during peak academic periods. Since exploitation requires authenticated instructor privileges, the risk is somewhat contained within trusted users, but insider threats or compromised instructor accounts could leverage this vulnerability. The absence of known exploits in the wild reduces immediate risk, but unpatched systems remain vulnerable to targeted attacks. The impact is more pronounced in institutions with high reliance on Markus and limited incident response capabilities.

To mitigate CVE-2026-27807, organizations should promptly upgrade Markus to version 2.9.4 or later, where the vulnerability is patched. Until upgrading, restrict YAML file upload permissions strictly to trusted instructors and monitor uploads for suspicious content. Implement application-layer controls to validate and sanitize YAML files before parsing, specifically disabling or limiting alias usage and recursive references. Employ runtime resource limits on the application server to prevent excessive CPU and memory consumption during parsing. Conduct regular audits of user privileges to minimize the number of accounts with upload capabilities. Additionally, monitor application logs for unusual parsing errors or performance degradation that may indicate attempted exploitation. Educate instructors on secure file handling practices and enforce strong authentication mechanisms to reduce the risk of account compromise. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents.