CVE-2026-25057 – Zip Slip in MarkUs config upload allowing RCE

CVE ID : CVE-2026-25057

Published : Feb. 9, 2026, 7:16 p.m. | 1 hour, 4 minutes ago

Description : MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration (courses//assignments/upload_config_files). The uploaded zip file entry names are used to create paths to write files to disk without checking these paths. This vulnerability is fixed in 2.9.1.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…