Plattform
other
Komponente
polarlearn
Behoben in
0.0.1
CVE-2026-25221 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PolarLearn, a free and open-source learning program. This flaw allows attackers to leverage the OAuth 2.0 implementation for GitHub and Google login providers to hijack user sessions. The vulnerability exists in versions up to v0-PRERELEASE-15, and a fix is available in version 0.0.1.
An attacker can exploit this CSRF vulnerability to trick a legitimate user into unknowingly performing actions on their behalf within PolarLearn. Specifically, the attacker can pre-authenticate a session using the victim's GitHub or Google account. Any data the victim subsequently enters, such as academic progress or personal information, will be stored on the attacker's account, leading to data loss for the victim. Furthermore, the attacker gains access to information associated with the victim's account, resulting in information disclosure. This vulnerability highlights the importance of proper state parameter validation in OAuth 2.0 flows.
CVE-2026-25221 was publicly disclosed on 2026-02-02. There is currently no known public proof-of-concept (POC) available. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low due to the lack of a public POC and the relatively recent disclosure.
Educational institutions and individuals using PolarLearn for online learning are at risk. Specifically, users who rely on GitHub or Google for authentication are particularly vulnerable. Those using older, unpatched versions of PolarLearn are most susceptible to exploitation.
disclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-25221 is to immediately upgrade PolarLearn to version 0.0.1 or later, which contains the fix for this CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which PolarLearn can load resources. Additionally, educate users about the risks of clicking on suspicious links or visiting untrusted websites while logged into PolarLearn. While a WAF may offer some protection, it is not a substitute for patching the application.
Aktualisieren Sie PolarLearn auf eine Version, die neuer als 0-PRERELEASE-15 ist. Dies behebt die CSRF-Schwachstelle in der OAuth 2.0-Authentifizierung für GitHub- und Google-Login-Anbieter. Das Update implementiert die Verifizierung des state Parameters während des Authentifizierungsflusses und verhindert, dass ein Angreifer eine Sitzung vorab authentifiziert und ein Opfer dazu bringt, sich in das Konto des Angreifers anzumelden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-25221 is a Cross-Site Request Forgery (CSRF) vulnerability in PolarLearn versions up to v0-PRERELEASE-15, allowing attackers to hijack user sessions via GitHub and Google OAuth login.
You are affected if you are using PolarLearn versions prior to 0.0.1 and rely on GitHub or Google for authentication.
Upgrade PolarLearn to version 0.0.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as a temporary mitigation.
There is currently no confirmed active exploitation of CVE-2026-25221, but the lack of a public proof-of-concept does not guarantee safety.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.