CVE-2026-28405 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the MarkUsProject Markus web application, specifically versions prior to 2.9.1. Markus is a platform used for submission and grading of student assignments. The vulnerability exists in the route courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content, where the application reads the contents of student-submitted files and renders them directly in the browser without proper sanitization or neutralization of potentially malicious HTML or JavaScript code. This improper input handling allows an attacker with authenticated access to submit crafted HTML content containing malicious scripts. When another user views this content, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, unauthorized actions, or further exploitation of the application and underlying systems. The vulnerability requires low attack complexity but does require the attacker to have some level of privileges (PR:L) and user interaction (UI:R). The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability, with network attack vector and no scope change. The issue was publicly disclosed and patched in version 2.9.1 of Markus. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of input validation and output encoding in web applications that render user-generated content.

The impact of CVE-2026-28405 is significant for organizations using Markus versions prior to 2.9.1, especially educational institutions managing student assignments online. Successful exploitation can lead to theft of sensitive information such as user credentials and session tokens, unauthorized actions performed on behalf of users, and potential spread of malware through malicious scripts. This compromises confidentiality, integrity, and availability of the application and its data. Attackers could leverage this vulnerability to escalate privileges or pivot to other internal systems. The requirement for authenticated access limits the attack surface but does not eliminate risk, as students or insiders could exploit it. The vulnerability undermines trust in the grading platform and could disrupt academic operations. Organizations worldwide that rely on Markus for assignment submission and grading face operational and reputational risks if unpatched.

To mitigate CVE-2026-28405, organizations should immediately upgrade Markus to version 2.9.1 or later where the vulnerability is patched. In addition to patching, implement strict input validation and sanitization on all user-submitted content, especially HTML or rich text inputs. Employ output encoding techniques to neutralize any potentially malicious scripts before rendering content in browsers. Restrict file types and content formats allowed for submission to reduce risk. Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitor logs for suspicious activity related to assignment submissions and user interactions. Educate users about the risks of clicking on untrusted content even within authenticated sessions. Conduct regular security assessments and code reviews focusing on input handling and output rendering. Consider deploying web application firewalls (WAFs) with rules targeting XSS attack patterns as an additional layer of defense.