Zip Slip in MarkUs config upload allowing RCE

The vulnerability lies in the assignment configuration upload process. Instructors can upload a zip file containing course configuration data. However, the application fails to properly sanitize the filenames within the uploaded zip archive. An attacker can craft a malicious zip file with carefully named entries that, when extracted, will overwrite files on the server's filesystem with attacker-controlled content. This allows for arbitrary code execution, potentially granting the attacker complete control over the MarkUs server and any data it contains. The blast radius extends to sensitive student data, course materials, and potentially other systems accessible from the compromised server. This vulnerability shares similarities with other file upload vulnerabilities where improper filename sanitization leads to path traversal and arbitrary file writes.

Educational institutions and organizations using MarkUs for assignment submission and grading are at risk. Specifically, instructors with upload privileges are the primary targets. Shared hosting environments where multiple MarkUs instances are deployed on the same server could amplify the impact, as a compromise of one instance could potentially lead to the compromise of others.

• linux / server: Monitor MarkUs server logs for unusual file creation activity, particularly in directories related to assignment uploads. Use journalctl -f -u markus to monitor the MarkUs service logs for suspicious entries.

 grep -i 'upload' /var/log/markus/markus.log | grep -i 'path' 

• generic web: Monitor web server access logs for requests containing suspicious file names or extensions related to assignment uploads. Check for unusual file creation timestamps in the MarkUs assignment directories.

1. 2026-02-09Disclosure

   disclosure

1. Reserviert2026-01-28
2. Veröffentlicht2026-02-09
3. Geändert2026-02-10
4. EPSS aktualisiert2026-03-23

The primary mitigation is to immediately upgrade MarkUs to version 2.9.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block uploads containing suspicious filenames or path traversal sequences. Additionally, restrict file upload permissions to the MarkUs user account and ensure the upload directory has limited write access. Monitor MarkUs logs for unusual file creation or modification activity. After upgrading, verify the fix by attempting to upload a zip file with a malicious filename and confirming that the application rejects the upload or sanitizes the filename appropriately.