CVE-2026-25126

Exploit

EPSS 0.02%
Veröffentlicht 29.01.2026 22:06:37
Zuletzt bearbeitet 20.02.2026 20:46:35
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Polarlearn ≫ Polarlearn Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp

Vendor Advisory

Exploit

https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-25126

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25126

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25126

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-25126