CVE-2026-27807

low-risk

Published 2026-03-06

MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.4, MarkUs allows course instructors to upload YAML files to create/update various entities (e.g., assignment settings). These YAML files are parsed with aliases enabled. This issue has been patched in version 2.9.4.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.9/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Markus

Affected Vendors

Markusproject

References (2)

Product https://github.com/MarkUsProject/Markus/releases/tag/v2.9.4

Vendor Advisory https://github.com/MarkUsProject/Markus/security/advisories/GHSA-m9rx-85mx-q9h6

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal