Unrated severityOSV Advisory· Published Jan 29, 2026· Updated Feb 2, 2026

PolarLearn's unvalidated vote direction allows vote count manipulation

CVE-2026-25126

Description

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (POST /api/v1/forum/vote) trusts the JSON body’s direction value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., "x") as direction. Downstream (VoteServer) treats any non-"up" and non-null value as a downvote and persists the invalid value in votes_data. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

Affected products

Polarnl/PolarlearnOSV

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41mitrex_refsource_MISC
github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qpmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000