CVE-2026-27807 in Markus
Summary
by MITRE • 03/06/2026
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities (e.g., assignment settings). These YAML files are parsed with aliases enabled. This issue has been patched in version 2.9.4.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
The vulnerability identified as CVE-2026-27807 affects MarkUs, a web-based platform designed for student assignment submission and grading. This application enables course instructors to manage various entities through YAML file uploads, which serve as a mechanism for creating or updating assignment settings and other course-related configurations. The core security flaw resides in the YAML parsing implementation that operates with aliases enabled, creating a potential attack vector that could be exploited by malicious actors.
The technical implementation of this vulnerability stems from the YAML parser's handling of aliases within the file processing workflow. When aliases are enabled during YAML parsing, the system allows for object references that can be used to create recursive structures or access restricted resources. This behavior creates a path for arbitrary code execution or data manipulation that bypasses normal access controls. The vulnerability is particularly concerning because it operates at the configuration level where instructors typically have elevated privileges, allowing attackers to potentially escalate their privileges or manipulate core system settings. The issue manifests when instructors upload YAML files that contain maliciously crafted alias references, which the parser processes without sufficient sanitization or validation.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. Attackers could potentially leverage this weakness to execute arbitrary commands on the server hosting the MarkUs application, leading to complete system compromise. The alias-enabled parsing creates opportunities for attackers to construct malicious YAML documents that exploit deserialization vulnerabilities, potentially allowing them to inject malicious code or access sensitive system resources. This could result in unauthorized modification of assignment settings, manipulation of grading data, or even complete system takeover depending on the server configuration and privileges granted to the application.
Mitigation strategies for CVE-2026-27807 focus primarily on updating to version 2.9.4 or later, which addresses the core parsing issue by disabling aliases in the YAML processing pipeline. Organizations should also implement additional security controls such as validating all uploaded YAML files against strict schemas, implementing file type restrictions, and monitoring upload activities for suspicious patterns. The vulnerability aligns with CWE-502 which addresses deserialization of untrusted data, and could potentially map to ATT&CK techniques involving privilege escalation and execution through configuration files. Security teams should also consider implementing network-based intrusion detection systems to monitor for unusual file upload patterns and ensure that only authorized personnel can upload configuration files to the system.