CVE-2026-27807
Received Received - Intake
YAML Alias Injection in MarkUs Before 2.9.4 Enables Code Execution

Publication date: 2026-03-06

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities (e.g., assignment settings). These YAML files are parsed with aliases enabled. This issue has been patched in version 2.9.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27807
EUVD
EUVD-2026-9968
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
markusproject markus to 2.9.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-776 The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27807 is a moderate severity vulnerability in the MarkUs web application that affects versions prior to 2.9.4. It arises from the way MarkUs handles YAML configuration file uploads by course instructors. The YAML parser processes aliases without restrictions, allowing an attacker to craft a specially designed "billion laughs" style YAML payload. This payload triggers exponential alias expansion, which causes excessive CPU and RAM consumption, leading to a denial of service (DoS). The root cause is improper restriction of recursive entity references in Document Type Definitions (DTDs), classified under CWE-776.'}] [2]

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition on the MarkUs application. An attacker with network access and high privileges can exploit the unrestricted YAML alias expansion to consume excessive CPU and memory resources, potentially making the application unavailable to legitimate users. There is no impact on confidentiality or integrity, but availability is affected.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the processing of malicious YAML files with recursive aliases that cause excessive CPU and RAM consumption, leading to denial of service. Detection can focus on monitoring unusual resource usage patterns on systems running vulnerable MarkUs versions (prior to 2.9.4).

Specifically, you can monitor for high CPU or memory usage spikes related to the MarkUs application process, especially during YAML file uploads or processing.

While no specific detection commands are provided in the resources, general system commands to monitor resource usage include:

  • Using top or htop to observe CPU and memory usage: `top` or `htop`
  • Checking process-specific resource consumption: `ps aux --sort=-%mem | grep markus` or `ps aux --sort=-%cpu | grep markus`
  • Monitoring logs for unusual or repeated YAML upload attempts or errors related to YAML parsing in MarkUs logs (location depends on deployment)

Network detection could involve monitoring for suspicious upload activity targeting the YAML upload feature by course instructors, but no specific network commands or signatures are provided.

Mitigation Strategies

The primary mitigation step is to upgrade MarkUs to version 2.9.4 or later, which includes patches that limit YAML file sizes and the number of nodes, preventing the exploitation of recursive YAML aliases.

Additional mitigations introduced in version 2.9.4 include configuration settings to control zip extraction limits, which help protect against zip bomb attacks.

Until the upgrade can be applied, consider restricting or disabling the ability for course instructors to upload YAML files, or implement monitoring to detect and block suspicious YAML uploads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27807. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart