Unrated severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

MarkUs has a submission-view IDOR exposes all student submissions

CVE-2026-24900

Description

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

Affected products

MarkUs/MarkUsllm-fuzzy
Range: <2.9.1
MarkUsProject/Markusv5
Range: < 2.9.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104bmitrex_refsource_MISC
github.com/MarkUsProject/Markus/releases/tag/v2.9.1mitrex_refsource_MISC
github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000