CVE-2026-28405
Received Received - Intake
Cross-Site Scripting in MarkUs HTML Submission Rendering

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28405
EUVD
EUVD-2026-9870
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
markusproject markus to 2.9.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28405 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the MarkUs web application, specifically affecting versions up to 2.9.0. The vulnerability exists in the route that reads and renders the contents of student-submitted files without proper sanitization, allowing malicious JavaScript embedded in submissions to execute with elevated instructor or grader permissions.

The issue arises because while some file types like Jupyter notebooks are sanitized during HTML rendering, others such as RMarkdown files are not sanitized, enabling attackers to inject malicious scripts. Additionally, specially crafted URLs targeting this route with certain file types (e.g., .js files) can also trigger the attack.

This vulnerability was patched in MarkUs version 2.9.1 by removing the vulnerable route and enforcing Content Security Policy (CSP) rules to prevent execution of embedded scripts.

Impact Analysis

This vulnerability can have a significant impact by allowing attackers to execute malicious JavaScript code with elevated privileges of instructors or graders when viewing student submissions. This can lead to unauthorized access to sensitive information, modification of data, and disruption of availability.

  • Confidentiality Impact: Attackers can steal sensitive data accessible to instructors or graders.
  • Integrity Impact: Attackers can alter data or submissions, potentially affecting grading or course content.
  • Availability Impact: The attack could disrupt the normal operation of the application, affecting availability.

The attack can be performed remotely over the network with low complexity and low privileges, requiring only that a user views the malicious submission.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability exists in MarkUs versions up to and including 2.9.0, specifically in the route courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content which renders student-submitted files without sanitization.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, first verify the MarkUs version in use. If it is 2.9.0 or earlier, the system is potentially vulnerable.'}, {'type': 'paragraph', 'content': 'You can check for the presence of the vulnerable route by inspecting the web application routes or logs for access to the html_content endpoint.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Check MarkUs version: `grep 'version' path/to/markus/version/file` or check application metadata."}, {'type': 'list_item', 'content': "Search web server logs for requests to the vulnerable route: `grep '/submissions/html_content' /var/log/nginx/access.log` (adjust path as needed)."}, {'type': 'list_item', 'content': 'Scan for files or submissions containing potentially malicious scripts, especially in RMarkdown files, by searching for script tags or suspicious JavaScript content.'}, {'type': 'paragraph', 'content': 'Note that no specific detection commands are provided in the resources, so these suggestions are based on understanding the vulnerability context.'}] [2, 1]

Mitigation Strategies

The primary and recommended mitigation is to upgrade MarkUs to version 2.9.1 or later, where the vulnerable html_content route has been removed and additional security measures have been implemented.

Additional mitigation steps include:

  • Remove or disable the vulnerable route `courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content` if upgrading immediately is not possible.
  • Enforce Content Security Policy (CSP) rules to prevent execution of embedded scripts in rendered student submissions.
  • Validate and sanitize all student-submitted files before rendering, especially RMarkdown files which lack built-in sanitization.
  • Review and apply the security fixes described in the 2.9.1 update, including zip entry name verification and secure extraction to prevent directory traversal.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart