CVE-2026-27807
YAML Alias Injection in MarkUs Before 2.9.4 Enables Code Execution
Publication date: 2026-03-06
Last updated on: 2026-03-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| markusproject | markus | to 2.9.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-776 | The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27807 is a moderate severity vulnerability in the MarkUs web application that affects versions prior to 2.9.4. It arises from the way MarkUs handles YAML configuration file uploads by course instructors. The YAML parser processes aliases without restrictions, allowing an attacker to craft a specially designed "billion laughs" style YAML payload. This payload triggers exponential alias expansion, which causes excessive CPU and RAM consumption, leading to a denial of service (DoS). The root cause is improper restriction of recursive entity references in Document Type Definitions (DTDs), classified under CWE-776.'}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) condition on the MarkUs application. An attacker with network access and high privileges can exploit the unrestricted YAML alias expansion to consume excessive CPU and memory resources, potentially making the application unavailable to legitimate users. There is no impact on confidentiality or integrity, but availability is affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the processing of malicious YAML files with recursive aliases that cause excessive CPU and RAM consumption, leading to denial of service. Detection can focus on monitoring unusual resource usage patterns on systems running vulnerable MarkUs versions (prior to 2.9.4).
Specifically, you can monitor for high CPU or memory usage spikes related to the MarkUs application process, especially during YAML file uploads or processing.
While no specific detection commands are provided in the resources, general system commands to monitor resource usage include:
- Using top or htop to observe CPU and memory usage: `top` or `htop`
- Checking process-specific resource consumption: `ps aux --sort=-%mem | grep markus` or `ps aux --sort=-%cpu | grep markus`
- Monitoring logs for unusual or repeated YAML upload attempts or errors related to YAML parsing in MarkUs logs (location depends on deployment)
Network detection could involve monitoring for suspicious upload activity targeting the YAML upload feature by course instructors, but no specific network commands or signatures are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MarkUs to version 2.9.4 or later, which includes patches that limit YAML file sizes and the number of nodes, preventing the exploitation of recursive YAML aliases.
Additional mitigations introduced in version 2.9.4 include configuration settings to control zip extraction limits, which help protect against zip bomb attacks.
Until the upgrade can be applied, consider restricting or disabling the ability for course instructors to upload YAML files, or implement monitoring to detect and block suspicious YAML uploads.