CVE-2026-28405 Overview
CVE-2026-28405 is a Cross-Site Scripting (XSS) vulnerability affecting MarkUs, a web application designed for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route reads the contents of a student-submitted file and renders them without proper sanitization. This allows malicious users to inject and execute arbitrary JavaScript code within the context of the application, potentially compromising user sessions, stealing credentials, or performing unauthorized actions.
Critical Impact
Authenticated users can submit malicious files containing JavaScript payloads that execute when instructors or other users view the submission, enabling session hijacking, data theft, and unauthorized access to the grading system.
Affected Products
- MarkUs versions prior to 2.9.1
- MarkUs web application for student assignment submission and grading
- Educational institutions using vulnerable MarkUs deployments
Discovery Timeline
- March 5, 2026 - CVE CVE-2026-28405 published to NVD
- March 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28405
Vulnerability Analysis
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in the HTML content rendering functionality where student-submitted files are displayed without proper input sanitization or output encoding.
In educational environments like MarkUs, students routinely submit various file types including HTML documents. When an instructor or grader accesses the html_content route to view a submission, the application reads the file contents and renders them directly in the browser. Without sanitization, any malicious JavaScript embedded in the submitted file executes in the context of the viewer's authenticated session.
The attack requires network access and a low-privileged authenticated account (student-level access), but successful exploitation can lead to significant impact including unauthorized access to grading functions, modification of grades, and exposure of other students' submissions.
Root Cause
The root cause is the lack of input sanitization when rendering user-submitted HTML content. The application trusted student-uploaded file contents and rendered them directly in the browser without encoding special characters or stripping potentially dangerous script tags and event handlers. This reflects a broader issue of improper path handling and content validation in the file processing workflow.
Attack Vector
The attack vector involves an authenticated student uploading a malicious HTML or JavaScript file as part of an assignment submission. When an instructor or teaching assistant navigates to view the submission through the html_content endpoint, the malicious payload executes in their browser with their session privileges. This stored XSS attack can:
- Steal session cookies and authentication tokens
- Perform actions on behalf of the instructor (grade modification, accessing other submissions)
- Redirect users to phishing pages
- Exfiltrate sensitive data from the application
zip_file.glob(test_file_glob_pattern) do |entry|
zip_file_path = Pathname.new(entry.name)
filename = zip_file_path.relative_path_from(CONFIG_FILES[:automated_tests_dir_entry])
- file_path = File.join(assignment.autotest_files_dir, filename.to_s)
+ file_path = File.expand_path(File.join(assignment.autotest_files_dir, filename.to_s))
+
+ unless file_path.start_with?(File.expand_path(assignment.autotest_files_dir))
+ raise I18n.t('errors.invalid_zip_entry', entry_name: filename.to_s)
+ end
+
if entry.directory?
FileUtils.mkdir_p(file_path)
else
FileUtils.mkdir_p(File.dirname(file_path))
- test_file_content = entry.get_input_stream.read
- File.write(file_path, test_file_content, mode: 'wb')
+ # Extract the entry to file_path. destination_directory is '/' because file_path is an absolute path
+ entry.extract(file_path, destination_directory: '/')
end
end
end
Source: GitHub Commit 55d74f2
Detection Methods for CVE-2026-28405
Indicators of Compromise
- Unusual JavaScript code patterns in student submission files (e.g., <script> tags, event handlers like onerror, onload)
- Unexpected outbound network requests from instructor browser sessions when viewing submissions
- Anomalous session activity following submission review actions
- Cookie exfiltration attempts to external domains in web server logs
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block unauthorized script execution
- Monitor web application firewall (WAF) logs for XSS payload patterns in file uploads
- Review access logs for the html_content endpoint and correlate with unusual subsequent activity
- Scan uploaded submission files for malicious JavaScript patterns during the upload process
Monitoring Recommendations
- Enable detailed logging for the submissions/html_content route and monitor for suspicious access patterns
- Configure browser-based CSP violation reporting to identify attempted XSS exploitation
- Implement file content analysis for submissions containing HTML or JavaScript
- Set up alerts for session anomalies following submission viewing activities
How to Mitigate CVE-2026-28405
Immediate Actions Required
- Upgrade MarkUs to version 2.9.1 or later immediately
- Review recent submission files for potentially malicious content before viewing
- Implement Content Security Policy headers as a defense-in-depth measure
- Audit access logs for the html_content endpoint to identify potential exploitation
Patch Information
The MarkUs development team has addressed this vulnerability in version 2.9.1. The patch implements proper path validation and secure file extraction to prevent malicious content from being rendered unsafely. Organizations should upgrade to this version immediately. For detailed patch information, refer to the GitHub Release v2.9.1 and the GitHub Security Advisory GHSA-p5pc-pxrj-3893.
Workarounds
- Disable the html_content rendering feature until patching is complete
- Implement a reverse proxy rule to block or sanitize responses from the vulnerable endpoint
- Configure strict Content Security Policy headers with script-src 'self' to prevent inline script execution
- Instruct instructors to download and review submissions locally rather than viewing in-browser
# Example nginx configuration to add Content Security Policy headers
location /courses {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
