CVE-2026-28405

Name of the Vulnerable Software and Affected Versions MarkUs versions prior to 2.9.1

Description MarkUs is a web application used for submitting and grading student assignments. Versions prior to 2.9.1 are susceptible to an issue where the application reads and renders the contents of student-submitted files without proper sanitization via the courses/<:course id>/assignments/<:assignment id>/submissions/html content route. The vulnerable route allows for the execution of arbitrary HTML content. The course id and assignment id are parameters used in the affected API endpoint.

Recommendations Update to version 2.9.1 or later.