MarkUs has a submission-view IDOR exposes all student submissions

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

Basic Information

ID CVE-2026-24900

Source GitHub_M

Published Feb 9, 2026 at 18:39

Affected Product

Vendor MarkUsProject

Product Markus

Version < 2.9.1

Affected Versions MarkUsProject Markus < 2.9.1

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.",
    "published": "2026-02-09T18:39:52.161Z",
    "modified": "2026-02-09T18:39:52.161Z",
    "type": "cve",
    "title": "MarkUs has a submission-view IDOR exposes all student submissions",
    "source": "GitHub_M",
    "references": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88\nhttps://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b\nhttps://github.com/MarkUsProject/Markus/releases/tag/v2.9.1",
    "id": "CVE-2026-24900",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "MarkUsProject Markus < 2.9.1",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Markus",
    "version": "< 2.9.1",
    "vendor": "MarkUsProject",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MarkUs has a submission-view IDOR exposes all student submissions_CVE-2026-24900