VYPR
Unrated severityOSV Advisory· Published Jan 29, 2026· Updated Feb 2, 2026

PolarLearn's unvalidated vote direction allows vote count manipulation

CVE-2026-25126

Description

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (POST /api/v1/forum/vote) trusts the JSON body’s direction value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., "x") as direction. Downstream (VoteServer) treats any non-"up" and non-null value as a downvote and persists the invalid value in votes_data. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Polarnl/PolarlearnOSV2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <0-PRERELEASE-15

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.