What is CVE-2026-25057?

CVE-2026-25057 is a critical-severity vulnerability in Markusproject Markus, classified under Relative Path Traversal. CVSS score: 9.1/10. Published 2026-02-09.

How severe is CVE-2026-25057?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Path Traversal in Markusproject Markus

CVE-2026-25057

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses/<:course_id>/assignments/upload_co…

EPSS: 0.001 (29.1th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Markusproject Markus — versions < 2.9.1

Weakness classification (CWE)

CWE-23 — Relative Path Traversal

References

https://github.com/MarkUsProject/Markus/security/advisories/GHSA-mccg-p332-252h (x_refsource_CONFIRM)
https://github.com/MarkUsProject/Markus/commit/0ca002a1f0071c7a00dbb2ed34fede57323c5dc7 (x_refsource_MISC)
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25057?: CVE-2026-25057 is a critical-severity vulnerability in Markusproject Markus, classified under Relative Path Traversal. CVSS score: 9.1/10. Published 2026-02-09.
How severe is CVE-2026-25057?: Critical severity. CVSS v3 base score is 9.1 out of 10.