CVE-2026-28405
Cross-Site Scripting in MarkUs HTML Submission Rendering
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| markusproject | markus | to 2.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-28405 is a high-severity stored Cross-Site Scripting (XSS) vulnerability in the MarkUs web application, specifically affecting versions up to 2.9.0. The vulnerability exists in the route that reads and renders the contents of student-submitted files without proper sanitization, allowing malicious JavaScript embedded in submissions to execute with elevated instructor or grader permissions.
The issue arises because while some file types like Jupyter notebooks are sanitized during HTML rendering, others such as RMarkdown files are not sanitized, enabling attackers to inject malicious scripts. Additionally, specially crafted URLs targeting this route with certain file types (e.g., .js files) can also trigger the attack.
This vulnerability was patched in MarkUs version 2.9.1 by removing the vulnerable route and enforcing Content Security Policy (CSP) rules to prevent execution of embedded scripts.
How can this vulnerability impact me? :
This vulnerability can have a significant impact by allowing attackers to execute malicious JavaScript code with elevated privileges of instructors or graders when viewing student submissions. This can lead to unauthorized access to sensitive information, modification of data, and disruption of availability.
- Confidentiality Impact: Attackers can steal sensitive data accessible to instructors or graders.
- Integrity Impact: Attackers can alter data or submissions, potentially affecting grading or course content.
- Availability Impact: The attack could disrupt the normal operation of the application, affecting availability.
The attack can be performed remotely over the network with low complexity and low privileges, requiring only that a user views the malicious submission.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability exists in MarkUs versions up to and including 2.9.0, specifically in the route courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content which renders student-submitted files without sanitization.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, first verify the MarkUs version in use. If it is 2.9.0 or earlier, the system is potentially vulnerable.'}, {'type': 'paragraph', 'content': 'You can check for the presence of the vulnerable route by inspecting the web application routes or logs for access to the html_content endpoint.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Check MarkUs version: `grep 'version' path/to/markus/version/file` or check application metadata."}, {'type': 'list_item', 'content': "Search web server logs for requests to the vulnerable route: `grep '/submissions/html_content' /var/log/nginx/access.log` (adjust path as needed)."}, {'type': 'list_item', 'content': 'Scan for files or submissions containing potentially malicious scripts, especially in RMarkdown files, by searching for script tags or suspicious JavaScript content.'}, {'type': 'paragraph', 'content': 'Note that no specific detection commands are provided in the resources, so these suggestions are based on understanding the vulnerability context.'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade MarkUs to version 2.9.1 or later, where the vulnerable html_content route has been removed and additional security measures have been implemented.
Additional mitigation steps include:
- Remove or disable the vulnerable route `courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content` if upgrading immediately is not possible.
- Enforce Content Security Policy (CSP) rules to prevent execution of embedded scripts in rendered student submissions.
- Validate and sanitize all student-submitted files before rendering, especially RMarkdown files which lack built-in sanitization.
- Review and apply the security fixes described in the 2.9.1 update, including zip entry name verification and secure extraction to prevent directory traversal.