CVE-2026-25057

Name of the Vulnerable Software and Affected Versions MarkUs versions prior to 2.9.1

Description MarkUs is a web application used for submitting and grading student assignments. Prior to version 2.9.1, instructors could upload a zip file to create an assignment from an exported configuration via the /courses/<:course id>/assignments/upload config files API endpoint. The application does not properly validate the file names within the uploaded zip file before using them to create file paths, potentially allowing for malicious paths to be written to disk.

Recommendations Update to version 2.9.1 or later.