CVE-2026-25221

Name of the Vulnerable Software and Affected Versions PolarLearn versions 0-PRERELEASE-15 and earlier

Description The OAuth 2.0 implementation for GitHub and Google login providers is susceptible to Login Cross-Site Request Forgery (CSRF). The application does not implement and verify the state parameter during the authentication process. This allows an attacker to pre-authenticate a session and deceive a victim into logging into the attacker’s account. As a result, any data entered or academic progress made by the victim is stored on the attacker’s account, potentially leading to data loss for the victim and information disclosure to the attacker.

Recommendations Versions prior to 0-PRERELEASE-15 should be updated.