Unrated severityOSV Advisory· Published Jan 29, 2026· Updated Feb 2, 2026
PolarLearn's unvalidated vote direction allows vote count manipulation
CVE-2026-25126
Description
PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (POST /api/v1/forum/vote) trusts the JSON body’s direction value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., "x") as direction. Downstream (VoteServer) treats any non-"up" and non-null value as a downvote and persists the invalid value in votes_data. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0-PRERELEASE-15
Patches
Vulnerability mechanics
References
2- github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41mitrex_refsource_MISC
- github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qpmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.