Platform
other
Component
polarlearn
Fixed in
0.0.1
CVE-2026-25221 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting PolarLearn, a free and open-source learning program. This flaw allows attackers to leverage the OAuth 2.0 implementation for GitHub and Google login providers to hijack user sessions. The vulnerability exists in versions up to v0-PRERELEASE-15, and a fix is available in version 0.0.1.
An attacker can exploit this CSRF vulnerability to trick a legitimate user into unknowingly performing actions on their behalf within PolarLearn. Specifically, the attacker can pre-authenticate a session using the victim's GitHub or Google account. Any data the victim subsequently enters, such as academic progress or personal information, will be stored on the attacker's account, leading to data loss for the victim. Furthermore, the attacker gains access to information associated with the victim's account, resulting in information disclosure. This vulnerability highlights the importance of proper state parameter validation in OAuth 2.0 flows.
CVE-2026-25221 was publicly disclosed on 2026-02-02. There is currently no known public proof-of-concept (POC) available. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low due to the lack of a public POC and the relatively recent disclosure.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation for CVE-2026-25221 is to immediately upgrade PolarLearn to version 0.0.1 or later, which contains the fix for this CSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Content Security Policy (CSP) to restrict the sources from which PolarLearn can load resources. Additionally, educate users about the risks of clicking on suspicious links or visiting untrusted websites while logged into PolarLearn. While a WAF may offer some protection, it is not a substitute for patching the application.
Update PolarLearn to a version later than 0-PRERELEASE-15. This corrects the CSRF vulnerability in the OAuth 2.0 authentication for the GitHub and Google login providers. The update implements the verification of the state parameter during the authentication flow, preventing an attacker from pre-authenticating a session and tricking the victim into logging into the attacker's account.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25221 is a Cross-Site Request Forgery (CSRF) vulnerability in PolarLearn versions up to v0-PRERELEASE-15, allowing attackers to hijack user sessions via GitHub and Google OAuth login.
You are affected if you are using PolarLearn versions prior to 0.0.1 and rely on GitHub or Google for authentication.
Upgrade PolarLearn to version 0.0.1 or later to resolve the vulnerability. Consider implementing a Content Security Policy (CSP) as a temporary mitigation.
There is currently no confirmed active exploitation of CVE-2026-25221, but the lack of a public proof-of-concept does not guarantee safety.
Refer to the PolarLearn project's official website or repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.