Platform
other
Component
markus
Fixed in
2.9.2
CVE-2026-25057 is a critical Remote Code Execution (RCE) vulnerability affecting MarkUs, a web application for managing student assignments. This flaw allows an attacker to upload a specially crafted ZIP file during assignment creation, potentially leading to arbitrary code execution on the server. The vulnerability impacts MarkUs versions 2.9.1 and earlier, and a patch is available in version 2.9.1.
The impact of CVE-2026-25057 is severe. A successful exploit allows an attacker to execute arbitrary code on the MarkUs server with the privileges of the user running the MarkUs process, typically an instructor account. This could lead to complete system compromise, data exfiltration (including student submissions and grades), and the installation of persistent malware. The attacker could potentially gain control of the entire server infrastructure if the MarkUs server has elevated privileges or access to other sensitive systems. This vulnerability resembles file upload vulnerabilities where path traversal is not properly validated, allowing attackers to write files outside of the intended directory.
CVE-2026-25057 was publicly disclosed on 2026-02-09. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. The CVSS score of 9.1 (CRITICAL) reflects the high likelihood of exploitation and severe impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25057 is to immediately upgrade MarkUs to version 2.9.1 or later. If upgrading is not immediately feasible, consider restricting file upload functionality to trusted users only. Implement strict input validation on file names and paths to prevent path traversal attacks. Web Application Firewalls (WAFs) configured to detect and block suspicious file uploads can provide an additional layer of defense. Monitor MarkUs server logs for any unusual file creation or modification activity.
Update MarkUs to version 2.9.1 or higher. This version fixes the Zip Slip vulnerability that allows remote code execution. The update will prevent malicious files from overwriting system files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25057 is a critical Remote Code Execution vulnerability in MarkUs versions 2.9.1 and earlier. It allows attackers to execute arbitrary code by uploading malicious ZIP files during assignment creation.
Yes, if you are using MarkUs version 2.9.1 or earlier, you are affected by this vulnerability. Upgrade to version 2.9.1 to mitigate the risk.
The recommended fix is to upgrade MarkUs to version 2.9.1 or later. If upgrading is not immediately possible, restrict file upload privileges and implement strict input validation.
While no public exploits are currently known, the vulnerability's nature suggests a high likelihood of exploitation. It's crucial to apply the patch promptly.
Refer to the official MarkUs security advisory for detailed information and updates: [https://markus.byu.edu/security/advisories](https://markus.byu.edu/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.