CVE-2026-25126

Name of the Vulnerable Software and Affected Versions PolarLearn versions prior to 0-PRERELEASE-15

Description PolarLearn is a free and open-source learning program. The POST /api/v1/forum/vote API route trusts the direction value within the JSON body without runtime validation. TypeScript types are not enforced during runtime, allowing an attacker to send arbitrary strings, such as "x", as the direction parameter. The VoteServer component interprets any value other than "up" or null as a downvote, persisting the invalid value in votes data. This can be used to bypass intended business logic.

Recommendations Update to version 0-PRERELEASE-15 or later.