CVE-2026-25126
Unknown Unknown - Not Provided
Improper Input Validation in PolarLearn Vote API Enables Logic Bypass

Publication date: 2026-01-29

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25126
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
polarlearn polarlearn *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in PolarLearn prior to version 0-PRERELEASE-15 involves the vote API route (`POST /api/v1/forum/vote`) trusting the JSON body's `direction` value without runtime validation. Since TypeScript types are not enforced at runtime, an attacker can send arbitrary strings as the `direction` value. The downstream VoteServer treats any value other than "up" or null as a downvote and stores this invalid value in votes_data. This allows an attacker to bypass the intended business logic related to voting.

Impact Analysis

This vulnerability can impact you by allowing attackers to manipulate the voting system in PolarLearn. They can send arbitrary values to the vote API, causing invalid votes to be recorded and potentially bypassing intended business rules. This could lead to inaccurate vote counts, manipulation of forum content ranking, or other unintended behaviors affecting the integrity of the voting system.

Mitigation Strategies

Upgrade PolarLearn to version 0-PRERELEASE-15 or later, which fixes the vulnerability by adding runtime validation to the vote API route's 'direction' value.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25126. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart