Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
MarkUs allows malicious zip files to bypass size and entry limits
CVE-2026-25962
Summary
A security update is available for MarkUs version 2.9.4 to prevent malicious zip files from being uploaded and processed. Affected users should update to the latest version to ensure their system remains secure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| markusproject | markus | <= 2.9.4 | – |
Original title
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, i...
Original description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs currently extracts zip files without any size or entry-count limits. For example, instructors can upload a zip file to provide an assignment configuration; students can upload a zip file for an assignment submission and indicate its contents should be extracted. This issue has been patched in version 2.9.4.
nvd CVSS3.1
6.5
Vulnerability type
CWE-409
Published: 6 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026