Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
MarkUs: Unsanitized File Content Exposed in Student Submissions
CVE-2026-28405
Summary
A security issue in older versions of MarkUs allowed attackers to see the contents of student-submitted files. This could potentially allow them to access sensitive information. Update to version 2.9.1 or later to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| markusproject | markus | <= 2.9.1 | – |
Original title
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads...
Original description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
nvd CVSS3.1
8.0
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026