CVE-2026-24900

EPSS 0.03%
Veröffentlicht 09.02.2026 18:39:52
Zuletzt bearbeitet 19.02.2026 20:08:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Markusproject ≫ Markus Version < 2.9.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.09

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88

Vendor Advisory

https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b

Patch

https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-24900

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24900

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24900

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24900